23542300x800000000000000040449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:22.020{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CFD8C62008F42035B3D1BB86229CB,SHA256=B24AF0747285F1763609201DE3BABE019897060A5EE5F35A4F542CBAA9FDFB49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:22.209{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168B6AC749E6CB1514B5EBC6B65573D6,SHA256=04875C2B4B678468A347469EFE06A850E6F6F7D940722017E1AB8CD0DD92D315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:23.240{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0906FCA274EDDB222C9F8289661A9824,SHA256=43134C594BC5188E9FCE192C3BDF5DFDF4C321564A8F2ABB26B02A7C33E1CDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:23.051{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE10B960ABF568FE37B47CCC7E48894,SHA256=4E5C2B364992848E33603833ABD32A2675DDA4F3F901E5FE8D3E3E18CF24C1E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:21.691{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:24.255{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD64FEE06B73BA42B83597D4446E65E,SHA256=6D604179B05DB757339A61198B843F0E798F340F3ACADCF58915F5D5F2B73C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:24.082{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8BB5867148DE3C0573DFE2053BCE89,SHA256=726EB69BCC423E5C5AE1EE37CA3EE081D92D088447E86236A5EF367493F29766,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:23.021{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58928-false10.0.1.12-8000- 23542300x800000000000000040452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:25.098{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250DAB43C74820A8FBEFFCF7C88ACD5C,SHA256=344146D546EEB3E3B2E36B7055E518F3A2783CFB86208649B5305D291337774C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:25.256{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBFA1F0984B58428E5AE9ADDEB425B1,SHA256=316A8F6E66655B13A3B972C6A3BC252038C4BFFA8EBBA87C0B69CF4112F8398B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:26.114{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCBCFE3A8A7196A9738932E1913C950,SHA256=EB499B48C8E9DF0EE4C377742518B07C1980B63C095662005807B0653BACC180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:26.271{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE27D6E85B33C4529FE2A010FE26E90,SHA256=2F02B07DAC33A743AEAD0DE8F9905BEDA5B2A90418897809A8A7261E68948084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:27.299{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB708C9AB1C3AB6C299FF699ECF0382,SHA256=C17C61850E826932F4E85B4FFBB32674C81707F20CD101DF53C66BDBA491DC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:27.140{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E186328C2B17AEB12FA1117019045F,SHA256=69421D72DB752EEB13CFF9FC7BCCA366E9542EE6F567C9C0DE98A6BB22AD08B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:28.330{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E72EB1D8C5FEF7A084D31D346F044E,SHA256=244C194A961C0123154ECDC70FBA48F020A0AF8811C5F5138B9E048966CC0FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:28.171{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480A95DC97C8B7EC9E796DA19B6477C8,SHA256=59EC4E85FB7B314BC1B734C1AF99C4B354F3C28CF37AA48511C3960115D123F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:29.361{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC842E7C089F81B29759421E7530F0B,SHA256=24431FBBFFF065DFD04B24899388DFA550ED80C0C8343EAAF494E4645610299B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:29.187{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB626D74C4B517FFB836B9EC6F1D78D2,SHA256=BB484A8E6BBEE6063BE90342839052DA43FC640CED2764E7A53C853AC2C32DA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:27.688{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000040459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:29.045{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58929-false10.0.1.12-8000- 23542300x800000000000000040458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:30.202{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524C57B296DAB221D40BA70FFFE3FA0B,SHA256=414B39BA6CCCCD35963227D28E6C6939DF5041C80DC95BE308085CB400D6E56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:30.377{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A460B853CB0D68CB061C726923A83C6,SHA256=6D4E68CCC490CD2675283013CAFD6CEE1880FC130BD4CE384E2324C21B525759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.893{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.658{6F8252D3-77E7-616D-B006-000000000502}31883344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.424{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B1D59DB4F2E90287703A60AD4D43EA,SHA256=6CB29FDF529A022BECFEE86C7A0C058BB9CFDD0240A61ABE7963E613CD6D12F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:31.234{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7161C4CBC439D9DCBEFDDF6B8D504139,SHA256=151DB3D0810A242692044A0973F7818F881F26176CECE7153FCDDAE14B8BAC26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.393{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.565{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.486{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49FD0EA9A4F219966BB6D58F18C5F2A1,SHA256=39251D312418A453F6CBD93BC5229A4BF9431E9E65A799E1DC03195AED1A3A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.486{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F709EC8364906A732B02887B02A0CE,SHA256=D5E4D03A85B1D1419E81B38CAC8DBD15598F4F26BD3F280D027AEEA9CC2E0DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.455{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CF90B3325F8460541ABCDD5CEE55E7,SHA256=E5B5523CDFC3B7713C7D863C38C6E753D655F3DA68C2390AE67DA3210C23CC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:32.234{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBAE878639163918BAA5D74FB22AA04,SHA256=00FEDD6C2A638A46140A15EF9E13A8572DEEB8713D9A59A60E7956AF14F24F87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.830{6F8252D3-77E9-616D-B306-000000000502}26523952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49FD0EA9A4F219966BB6D58F18C5F2A1,SHA256=39251D312418A453F6CBD93BC5229A4BF9431E9E65A799E1DC03195AED1A3A54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.455{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557C9EA0179154DB2CD69CA6BD874397,SHA256=AD1EAD135D9EFC3A0656AAB312053C566B35FFF42963F9B2EF18D60F5476A8F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:31.904{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58930-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000040468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:31.904{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58930-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000040467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.265{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A604225B1A6D9D8A563962F677567BA5,SHA256=CE772D4B00FEDC42A6C9CFD1EBE9A20806D6423EF2065F59D2936ABA342C120D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.093{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.093{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.093{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.046{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C65DF0ED8F379AC949AD6160CEC9F4,SHA256=6D6E786532B6ACD5C0CB3D10FBB901F3A8A932A1C91173E41492DB1E199E7248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.046{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95125152DF68130E04D405AA82B57B35,SHA256=1EFA9DFDAEE2BEE74E039E9FB8251F25E2D6FA78D8FA82238F775BA4C3F9CCAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000040485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.280{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD85EEAC63021DF70197B83A9C29FC53,SHA256=5581DA520BFB58CFCD5AE264041FE1E87D8E7EEECBBE32C0C02473D6D46BE878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.955{6F8252D3-77EA-616D-B406-000000000502}38323628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.768{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.658{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E209B434B2134D1DD11789E3B8BE7CF,SHA256=30A07C23572EFCA6488EBD5B22BDEAB2E9460EDB0D3BD0EB22FDF1C51619796F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.750{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.486{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2BA28B0FE6579835C65B84063F014B,SHA256=723C33B3AC4DB54E3890F11147EFDF0FEC235AC0F6D9CA2BB1451943762752B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.814{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63AFCFC4AB92612A5E02D9855EA67573,SHA256=AF6D36E48B1D861ED4489CA8B7A6A8E62E3AF6C8DF5E6B887960EB5443608831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.642{6F8252D3-77EB-616D-B506-000000000502}30123724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.533{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F161A78748F4CBFEAFE1E2B7430991D9,SHA256=008BA1EB3BF74208FC8BFCF2A3A5551BED15FFC6920BA61B4FD8239A92CAB0A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.076{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58931-false10.0.1.12-8000- 23542300x800000000000000040490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:35.312{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E09DAF62EE4BFA618DFDDE963D9EFB,SHA256=9C66F561EB311DDCD63EB5DD5D8A49D776085AFE58642D5F09943E9B8001F335,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.440{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.549{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9776250728F98B2EC9DCFDE7DC0712A5,SHA256=7E00F0F85965CC0BB3DB761C00033D064E276D0B5C3F1A1ACEC4A36434A39519,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.814{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58934-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000040498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.814{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58934-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000040497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.721{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local58933-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000040496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.721{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58933-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000040495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.707{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58932-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.707{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58932-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000040493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:36.343{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F404499A48D7C3EF1580EB94564E07,SHA256=6F38061B1E0B2F58CAAEC4E0ECF40587C29622690136511090B87121B56E17A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.112{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:36.062{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C65DF0ED8F379AC949AD6160CEC9F4,SHA256=6D6E786532B6ACD5C0CB3D10FBB901F3A8A932A1C91173E41492DB1E199E7248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:37.564{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB5DBB94E2F8D823B67B75A6C565107,SHA256=93331CC095A189697037B83D1FBC08F3B3CFC8744D57DD7B297F07C7041900E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:37.374{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B438C8946BF684B14B1625DD70DCA05D,SHA256=60875742F25087803DF2E7568422E1C2E4E61173FD9760673161021D25C35F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:37.158{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A663CCA4146CA479E49EF9607D5E3AA8,SHA256=39E8B85034263663FB52D56247FEEF91C15EAD56A9FBEA6780318988CDA0ECFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:38.580{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5612BB2089BBFA88B9D333830BA513AB,SHA256=6B6B6C18C1E1386A6A42C94AEA99F95DCC278BD38E988000AC9EE4F9958F4FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:38.468{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C1997850CBFA0E91CFBA037A0EFE05,SHA256=1E43414B4714BADD3511D6F4D9C7F7C3DBB61DC2A45F2506B9538F216C92CA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:39.702{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF51DB0B929282A1ABD7F6D45A5EDC5,SHA256=B08CCECE05052E76B1C71BAAFBF3CBC2DF4B7C0757FEA65E36EAEE17A277A301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:39.586{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5D6D5FA67D3B8370E7DADC0B908E58,SHA256=3A0A270DFBD4F6669C472B50078477B29669CC0900AD2AD83A71597B281702C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:39.427{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-108MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:40.734{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125CA498DA2A93D54FC99FDD87660B11,SHA256=949733019B82005EB30F00F35661988C4B1E184873DD13742815A2CB80BEE81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:40.599{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8EF5C5DBB9DE78579F888BA788E005,SHA256=5A5BD997D3F004C19916C40314DF8BC4FEB56ACD009A10A66E5FD0AA839B2BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:40.429{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:41.780{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357CA08AB220F38248077CCD332E005D,SHA256=FFC0FB53BD506E8142E6059CDF59C28D9C4613309BA5309889D2EB283D23B48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:41.601{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68ECC52FC633729965B6874BF2000B1,SHA256=64F1C51565AFD01E533B408E7C77C719C024FCCDF42FFDC860A42EF5EE8BABC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:38.767{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:42.617{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2304E8737906CA93379774DC8C2349F3,SHA256=2EFC277653292C2D70DA1C4560E7D0CFA7E67DC08FD06D46E35D78580ABFD51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:42.796{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0536D61D64C33C82A9B30C3CFBBB7D1,SHA256=4F09CF2E1A3AFDD34078A72D8C63340D61C545339237A703E10113E2E69FCE39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:39.982{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58935-false10.0.1.12-8000- 23542300x800000000000000040507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:43.812{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BD0E6DB21327DABEBE811685A3BD45,SHA256=D9A97CCD7B8D387F3AA0C81E810DBB2E691918AC5AEB7155329232C2B38B06E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:43.632{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4E6966F1AEE03E4BACD50AAC161BF7,SHA256=0D023D29652AD64AB1DBCBD2393BDD1F26437D3664090AC878359178CA1CA239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:44.843{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1642AA38DA3AD180EDA2699B876D8B12,SHA256=EABB62D8CE5739752299188FFBBD5022167D5ED43B2782809D9FEA8588E6B3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:44.648{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15326944A319B63B4A76DAF226768CBC,SHA256=7C11C699DB71ECBDDA8BD7A9096A93C4F3D5AC52EFE617074C11B7EA384E4EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:45.664{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198E0176816C49397E82E6000FC3C1B7,SHA256=52344E2DBAF26A82CA864DF5EEB95A9028E91BFE936D9EED8EA08A335310335C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:45.859{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4365509FB2F5A5550352662D0F6E8F82,SHA256=4F50A306B5D73152EB8C0D37EB8C35689FC0EEE52387748CE7B278043F63D170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:46.679{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0962E1A9E196565495C9B98EF1DD1CCF,SHA256=1381C5CDEAE5F055C4AD4E355B45CEE41028DD4633CFF1ADF7DBDF85D29F7781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:46.874{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F564E23E2B475C428DCDDCEE9EFE99,SHA256=08C87B92943B9095EEB2CD34B731E9B80C3B47D1E8C5EBEA25E3A1FE2ECFE90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:46.655{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E60DB110EF299E91B9CB818C32118F,SHA256=5925BCB5E2CAE9A956A8902FAE35D65DACA4571C511C8BE6011BBCF8FCE58EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:46.655{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2D14E88B1EBBDEDDD59D987D7BCD3C,SHA256=85D30CC0F3771F7E6182174CC4616A54A352AEB97465C6AF9FB7B043CCEB9291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.890{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB6DE768C71485EB4FEF9AC4BB4512C,SHA256=FE6D8E03AE0ACCBE850343D18C7670C73507BE31737BEEBED0E380A3C5EF7996,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:44.724{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:47.689{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C4FDE11E4EF8431E28C5F7360B8627,SHA256=80C37E15E15F2879B76BE59B560E77316D1773F0DF2BD3B87498A03C48DE8F07,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:34:47.499{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x800000000000000040515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:34:47.499{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x800000000000000040514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:34:47.499{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 354300x800000000000000040513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:45.092{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58936-false10.0.1.12-8000- 23542300x800000000000000040521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:48.983{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1C98FBFAD8E776C37673FD4C09EDF0,SHA256=AE4A94E34083634EE2C269690F14D368F6D5070C12BAF37F7D44A04926DB614A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:48.705{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8450526CA8985F88DD315070BF9024,SHA256=ACC4E10CDBA42D8C5BE94619B7A07AAFDDA541D4748505CB544CF3D2FCAE4979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:48.530{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E60DB110EF299E91B9CB818C32118F,SHA256=5925BCB5E2CAE9A956A8902FAE35D65DACA4571C511C8BE6011BBCF8FCE58EC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.359{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58937-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000040518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.358{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58937-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:49.720{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF83A8154EDA9A8052278492121C5E8,SHA256=CA205CBB8E5DC1F287A04513958D1D08B00216B74455CA74977EC055CA653209,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.393{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58939-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.393{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58939-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.380{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58938-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.380{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58938-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:50.736{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A7F7F7951E63A436A3E7467941232,SHA256=EB70F186903D6CACEC46FC2E167D6832C27D976BA153EDCE708A26EDDDC9D22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:49.999{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8932ED7A25338E54A66A1B66EFE6609D,SHA256=A60F87D68BB0F6CFE62DD77EB0F3EB53C62EDC74BFA48411607E9237D1119067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:51.783{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4143233949AA62718AA63D2860FB2700,SHA256=C50112E8D515BA0F6C67162A53616E36A765F63E1340ED4A160DF16F36B6A50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:51.752{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C021CCF09E595EC3C4F90143EFDC70,SHA256=54D546F8786A86BBA79940E69FE99816103DB850ADED0B9AC225E0517E5FABAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:50.108{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58940-false10.0.1.12-8000- 23542300x800000000000000040527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:51.030{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF047D237CAF58B0E17148D64BC2C9B6,SHA256=8FB710EABE2D44B335704A1E39A2B4FDB1FB52A1F87061CFF0D69BFA8ED8B3B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:52.767{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9A494C00A78B76FAE74BE16EDF783C,SHA256=FCD0DA39ACEDC50FD4FA461ECADA282A2AF636E1CE53BE70BD1D7D7F29BFCCEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:52.233{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30B0EF832DB5CD3CF340CDB0EECCC11,SHA256=0FEF625F190C7110CC4DF157EB6331046670200683803D91F79656F48CB16E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.814{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB3A03941D0DF5EAB9DE42DD623B222,SHA256=3040768B2AABE2C6CB402F35C90E2F075A7228C5FE178E7A9E532AAB787CD2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:53.249{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2FBC1F29ED96957BCB259836366C0F,SHA256=9691DB8814D85586D5E51DE22A5F1A2575C47786A92BFC1BEE942EDD5A2634CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0066a3b2) 13241300x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c41c-0x8c7c3bf2) 13241300x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c424-0xee40a3f2) 13241300x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c42d-0x50050bf2) 13241300x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0066a3b2) 13241300x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c41c-0x8c7c3bf2) 13241300x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c424-0xee40a3f2) 13241300x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c42d-0x50050bf2) 23542300x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:54.830{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1F08B8C29DF335778E8662FB8C5FA,SHA256=FB829D1E386127B39007C5F83AFD7EAB8D3E3D6977D943DF34F3D6DD50F931B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:54.280{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B423643112D47EE7F3950155DBB168AB,SHA256=DE1DE1D72CA91ABCAA3937A55513CAD4BA001E422593A232D2C75B788C830E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:50.656{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:55.877{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952839625F5EA815FFB85F8E2A9B4EF7,SHA256=9AB6E40162C6CACE0F682D9C63A44FAF93259475B0365A2D67C931A77A690179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:55.311{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EC3F34C319E00EE488276DC2CC03FC,SHA256=DF7DDC6420E06B4BF83D0EE34F1A5C54D87B1581BD55CF001AD8E3F66E75AD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:56.892{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DEFB0E7B6BD665364E2FC2FF553358,SHA256=C52653E5B116DA7371FF7409D08B5FCA78BAF55780A92E4A4C2DD3AA3B5447F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:56.327{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7CE89F58064D7E3CE4EFC5AA30108B,SHA256=46B655513B48B758E293FE87485CABDE37AB2BAF63D7A6F629363365D9CF42F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:57.908{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CA4DC984C9EA51354555E778AE09DD,SHA256=3DACB42D0F19A94563D1EC4CA9793262209DE787980C7F8BCABB5645651E1E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:56.061{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58941-false10.0.1.12-8000- 23542300x800000000000000040534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:57.343{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA2B273A60070D50CCA00E9CB1594C8,SHA256=26C6CCB3CFFD2E7F6895E6AC1A566B2682705FDD4E4BB2F727EBABA3D3571434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:58.923{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA45687B396714C12FBE484E56AE655,SHA256=A01AA6C808F7A7A9ED94427B89062D496C6EC3C724E796DDE4A89C784AA9099F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:58.405{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D866F2C8568C3DA7BD874DD4310AEA,SHA256=82D7F9924AF6B36FA27483E2C65CEF616D57C84082110508E42D0A1E6615745A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:55.765{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:59.955{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45EAD79F835AB5883C8FB9438882E4C,SHA256=7658D874147D79A0304CF5800C2D13041C6799D25D692398C5650C05AD89E2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:59.436{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343DC651E41CF6CF9F97D30DBD5A401B,SHA256=C89C31C710D783C1ED237B41C3CC3CFC084880BAFB4C38B42CBD8976E93EEAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:00.986{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B475BA2719ECF8F972482BAC28F7B61C,SHA256=328012053422D3E6EA957A1F827FD4642134FE344546943FB8922F817BCDB347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:00.452{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905366F190631EA30B9D9BF37FD92471,SHA256=A7CBEF8FD0DDEB6AB5657545FE65DC0A6E80A1C48AC56DB10A9CDB611FB4BB9C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:35:00.080{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c424-0xf2b91ac4) 23542300x800000000000000040539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:01.499{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14444DC99DB6DFA655A8240F1818C79,SHA256=6A2DF3AC3621F7272B95D2A392423C7BA9C8F9CFC39DB3FB6DF641F0B4EEBE12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:59.623{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-470.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000040541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:02.671{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8BDA937F301A9C536B499C8789FEF659,SHA256=78C745ECB4A6E08FA49A4C9B10BD413A8EB6E624437B1A7ECBF7B1E8E3721D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:02.515{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB5F49D8C6C355E45E321FFFCC44481,SHA256=9B47D277EBA05DFCC744E879DE60F30B15A4D789AC5A1F7F7A65B0CA428CA057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:02.017{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90A302BCCCC711DD8D227ACF7915589,SHA256=09AECC544E61A0901E4EB175B6569BF4B26D9651E0F8F83A51AD3DE4D178925A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:03.530{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D10C1C75E47C15CF025874422D6ECF,SHA256=E690026E3BB910724FEE18FFDDC25D4D4BD08A9E5F3852F67CDDA0EDC7455DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:01.379{6F8252D3-5DB7-616D-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-470.attackrange.local138netbios-dgm 354300x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:01.379{6F8252D3-5DB7-616D-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-470.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:03.095{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A1748117C0E84D79FDC29BE2D40F5,SHA256=33EB2ED97C33544D2DDF3F120BD3E47B10AD9F23ED7CC91CDC2FCC60AFDE67EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:04.530{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF719CC80E0F6445CE522736DBE8514F,SHA256=47826C430F579CC2BC3AA11D36E653BD89F31536B360446390094BCD4EF62B2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:01.796{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:04.142{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F121320B60DB3025E61B6F8C59FB5D2C,SHA256=3FCA617AA347BEF3BE9AE6E99C26E394E26948DF5F8998D5A0D9BFA6905BD325,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:01.984{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58942-false10.0.1.12-8000- 23542300x800000000000000040545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:05.561{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31954A4DB8DA64B5F39866F9DE821E3,SHA256=6084196B7C24C611D0997C60683A7E971A45CC80D2610183F73D6121C9B56871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:05.158{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A62A9EF69578CA146E3B455A9D652B7,SHA256=7B71C9332BEB61C836F3EF7994A4A8009F2A43C80A2179DAEB49F87D9606155D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.846{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.577{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BB0CF381D9FA11CC23905CFECE8174,SHA256=77A307D232CD4B41FE2B02C14A1A0C99E983FC560FF2F4D20B94FC361E2B2E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:06.173{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0E91AADFC58EDE4F28D33DC4880A9,SHA256=78C894A074A4E0BD5CA9F81C56445F764EFB05AF1C00BAE168A3F60D5B2B3CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.297{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.687{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CB155FC55E05D198DE0BC6DC1557B3,SHA256=66580B8D6B2DE982895D768A9E1A1D0DE221652C91A5BD0C286DE44B40789905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.609{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.609{8D4DD44E-780B-616D-F308-000000000402}9124964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:07.174{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C05CC28F1EE87F72BCD89B0BCE5332,SHA256=FE698D39A393026D0A62929B285859F1EDCDB1F87A951EFBDBCE01C9F2F57D0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.470{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.422{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38033FB326FB008823CE7191B0E174CA,SHA256=AF821F151F85A370DD25648B8BDB4CE24C4823A683AC41383032F632E744C3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.422{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F69FF45BF19A0C56F457C39E2E49222,SHA256=A21434A2313BF40811DDF56374BA7A6C33EFFB5F86D3DAB13F5BC1F4487995D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.687{8D4DD44E-780C-616D-F408-000000000402}20364988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.625{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD818339A555E5748AFDC1B695787351,SHA256=59DA3292F8238F1ED4F76F779AC4F9C222F47807F0CBAC86A9EE1B28E5DDBDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:08.268{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:08.190{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF145DB7BB0AD057874FED6EF0DE7FC,SHA256=C37ADA7CC3271A846AD9DA9444E43111BD1AD38D33548A1D54E63B689755EF7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38033FB326FB008823CE7191B0E174CA,SHA256=AF821F151F85A370DD25648B8BDB4CE24C4823A683AC41383032F632E744C3FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.532{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.970{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.719{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB6EE90C3CEDD41B036C53DC6174DF1,SHA256=45526E5EC98629B364EB7CBD23E7430A7F417C5D8B60111409FB5AFB85866FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:07.812{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:07.610{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:09.206{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD93B3E44DAC2755F2CBEE75742015F,SHA256=2BFA4D4B9BF2DCD21DD18181BBD203E52D0E17D72AC5B91585EE9BF1818855DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.547{8D4DD44E-780D-616D-F508-000000000402}45201932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.547{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A24C76792EE6E04BDED8AAA1B5F2D17,SHA256=BCBC3AF66DF25D5DBF2330B1874432565871B51699BE350BF8239AC3DEBA688A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.391{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58944-false10.0.1.12-8089- 354300x800000000000000040607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.030{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58943-false10.0.1.12-8000- 23542300x800000000000000040639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:10.765{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19060270D93C8000954B954CECB6E91,SHA256=A540B35FE5DAE87F72FC3D34DE40CCEEBFD6C2EB6751E67E987669BD81755F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:10.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9C7AC5D153A7C7971AD69D86DF74C0,SHA256=E088692CFFD6DBA2D46D7965AD4656CB4B777CD21A2C6E7253248E7AB441010E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:10.203{8D4DD44E-780D-616D-F608-000000000402}32204860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:11.797{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFA13BD8AE3EC6E8F5DAE959ACBBF0D,SHA256=5002BB19837A6F0E07BF6D123C0089A1FB16F9106E7014DDF219BB16C89C2EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:11.252{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2544B878F5EC8150387814B6BB7520DF,SHA256=F46014C2CDB6AFCEF132A0C2F8D939C69716E70755A22EF2911E4D63038943B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:11.172{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5C14F01E2F285236A004374DE41A81,SHA256=EF7823A31399CAC0AA973D400100B2D7C9B84EFF9A90D4D9489D5E1BB1D58BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.812{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCCC3F01A00FFAD1D795416CC710DE6,SHA256=5FE6FE59312F0C39644121F724CC82519EE7BDF0FC5B2A2DEEB4C3B3F86FF20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:12.268{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEE4124B8E343397118434EADB033DC,SHA256=7B3FB6E6D960D088719C14F3962579FA70A5EBCC551BABCDDAD1E6B6C424AA5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.079{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:13.299{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65132E5B41DA968A17C5D43D65DAC48D,SHA256=3BDBF35C1F0B7456D3F4E2A4881A6B591E98EDE371EF52B36AF75DAE674273F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:13.109{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B069C4C448EAD719EAC7046B6FCED1C6,SHA256=3DD953C35DB0631FA9D5B26E0A8F32F0E734C33CEEB54EA86658883E39BB943D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:14.331{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA02DEBFF1E69A7FFF3AB769DDDBD642,SHA256=B14BE7CB2AC4F22C7C9027F113CB92ED9C0719D7F08D9A76870550CBE093326E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:13.077{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58945-false10.0.1.12-8000- 23542300x800000000000000040657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:14.047{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBCB3C9FCB04253B4AFA16CA2D71E72,SHA256=3D47B57CB36835D215295FEA2233863E45BE81317F5991270E879ACD4FCADC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:15.062{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1612184BDF89B5EFA685797DFA0C63,SHA256=0C241AB7D0FCECCB12FF0EE956462DE2A92173A4C36BABD4511950C71EF8CBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:15.424{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DBB99DA8761F1E7CBFB817E994292D,SHA256=09E6C25EE91ADBD146A07EF0059ED09357C67E843C84A72F76440DC0A01E5EE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:12.797{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:16.297{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1B318CB1CD4A8DA36A12F552D260BE,SHA256=ABFD49C76E676313BABCA0208A30CE3B3699409E2213EF83DE30B63E67E86EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:16.456{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C876120013A63BE4BB6E32DB422A14,SHA256=DDCF0D0EAA2D7EE4D440EFE918158294C28FB03C985A0872EA5BE05A9B099BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:17.471{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DD96ECF0EC5D713154C9102A21D366,SHA256=CB6B417DFDDCA9B11EE0F1499C14D5CCA054D7F6F1F17A1215F78F9A0B0032F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:17.328{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DB181F13D9F9F42B223339EB5CE50E,SHA256=18FA2F2A42D275B0782C1B4B5FC4AB6C024614E37FEBCBBE8A055CA5396CD21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:18.487{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AC8E965F8CBFAC64F1EB7BE26BC117,SHA256=43C58E0CA37756B802653D73EFFC569C95135EA4D4238E38F91C35B61AE9BABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:18.344{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DC535A839F2A9AA965659A41FD24C6,SHA256=AF86D774C9CBA8F1EB81208BDE277A7983E85D0A94962AEE1142A754EF65E53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:19.377{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76067CFFEDEA942A6D78956976234E19,SHA256=176E28D3BDC65848087C97ADF3213889C762CF4ADDF83FF9173354AADD2AB5B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:19.487{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C36162B6E935CF9EC30A05C5F8F700,SHA256=310BF5DE65FF7F98AB18A147FBF4627259A605C4034885B1F39479C81E7220BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:19.254{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-117MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:18.873{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58946-false10.0.1.12-8000- 23542300x800000000000000040666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:20.392{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558EBFF946565A3F9425E9CD9D69A302,SHA256=4BABA3AFEA9CB70F40FF080E64F04867B272E0413D472B149D8A2A318253A10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:20.502{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248F850F87B0E532B3D838632C03CD2,SHA256=3A5B8F930B72A52ABE51E111B9E8AA38ED7A3012BD3B8A18FCDAFD1DBA43A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:20.253{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:21.411{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC832599536F03BCC2ECEFFBD763E956,SHA256=DFD9ABD62BC98BAED1618A9527A4D0BAA527B03481335FE031AEE8532ECE2454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:21.534{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E13B23D6197E8807B75AA18F66DF4FE,SHA256=F78F5F110845BBC8D48ADB7E30594F813B6387144CFA8811C19F568C15DF6572,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:18.703{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:22.457{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1C502931CB80EEF54881A193B9BF69,SHA256=C7BA63F402BFBEDE5A24276AC08366629B1B572A3BDB9515BBBA1270CE5571C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:22.549{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871E3AB1CABF243274EEEB6F66C80B9B,SHA256=EEEBB1DCEBBBE29B939C85BBAD1995CC14A0E487A9C406DE095CF60356650266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:23.565{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C333206BE9348878322D6DB5A0EC6736,SHA256=50BAF8357F042EF4CA72DB3BD21FEF2CA8C483C3A9AAA016367D97DC581A7BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:23.536{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED3E4D3154E42B2DCFFBECE8DF21E1C,SHA256=C74EB447BE877F8E065988A62AA958D783CE5D1117B28D0000A6A4B7FBA726DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:24.536{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6FDB6E813630C3BAC7D4E62AD75730,SHA256=37229A61DCEB9AD7647D6A6E89B7FAF29A305B6C6627C200102DD479CBD5D38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:24.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AA55020005CD68702C46BE8F15AC4E,SHA256=9C49069EA3195414CF931273E515F345F9AD9DA211C84FCFB9DC952190460E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:25.598{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE53824A4A64BA15FF30625313C1FCC4,SHA256=67F285401DD0DD25C9B0DF402F5BBC775DF70936519878F40B9CF8F93702FDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:25.643{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B59949AE58D4B5898C8C5F1663BD08,SHA256=A06ED6DBFD95275D7C6401BB4686C0E669EBE6138FC5036DC0765F04D36E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:26.676{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0B0C28AACA3CCDA620D3C22FAB13A3,SHA256=596C4EC4631A02FAF4E3C06CB4E6F89D1E094DEA8D5A67DF1AA268924FBEDEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:26.659{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBE7A4A282D83B84B1E4626AECEBAFC,SHA256=D740F02F9E22849F590D5E8ADEF5419817995E4C7125368D7B95F44275A7D452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:24.034{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58947-false10.0.1.12-8000- 354300x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:23.765{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:27.770{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCE9F8BE34C59944E57C6DF99CAC8F9,SHA256=832AD37C5515CDFD1E9930410841D1B20440BB4FF1EDF1A1F1B128BF769D21D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:27.695{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F5548150173B08F213ABC0AAEF5BCD,SHA256=153DC5E6D287E2E55552300D0B090ABD2661E0A01238FDC199BEBA5AADCE0364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:28.786{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7973A197ACBC4C860CA1A3EE8BAB5717,SHA256=19A770AFA4BE5FE1E3EE2B6EF201F0876ACB26BDB4B9D1D5F04BA54AFD527DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:28.711{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:29.802{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653B962C216B66B8F68C482C379C2642,SHA256=6A05F2654050A80269B58EBF8C7FF52B11B4B742B2B917BE6E959C4A681BC1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:29.726{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:30.880{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173494C9817FF4327291D4000AA8C31C,SHA256=49CAF5908F8D6B15B843C0D1B59355C9447B5B16C41D6451FFDC0CF2E84922FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:30.742{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:28.770{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.930{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.773{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC3DCC36CD5719BA15912C3CA1ADE1C,SHA256=A599B79C58A2B1044907C6CCAE933D47B9B2EF0EA29CAB0F59B737CB19348F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.415{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.929{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD2302CFDF15C4F20022E32352CABEC,SHA256=2B2E0B5394B180E7B12614B5C985C69D5D5329C33E2E6B0282317A770FB1DDEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:29.988{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58948-false10.0.1.12-8000- 23542300x800000000000000040679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:32.114{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D9DBC2F622F913C670E2A0C850E5BF,SHA256=8A91087F926DE8D76B67B654B90F860B632769B466DB3476FD0752C70C1C19B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.695{6F8252D3-7824-616D-B906-000000000502}2752724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9E5CB27A643CE52793A9CF986B583B,SHA256=C9D0DF34BEAF49E60B0C519E76C65D87C2775795582BB76B1968271B3B7082E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A61C7A598D2F0548CDF301EB78E54024,SHA256=71781DB82E7E4F2C03E679A0EC9B09B84B1AB2E5C13B46950801A44D235F3CB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.430{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.945{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6285B267A46CC7EC299662764F5589CC,SHA256=2302616F0E6BC20145C69C50D3515B72F07A92444BEC397F1C681E0242807A68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:31.910{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58949-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000040684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:31.910{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58949-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000040683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:33.177{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF75E10F894BBC455232DFFEB4EC9F4,SHA256=3E4754275413698375A0BBA5D361AC2585C256B68E4147CC169E1B06BD778883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.774{6F8252D3-7825-616D-BA06-000000000502}9921700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.555{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.445{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9E5CB27A643CE52793A9CF986B583B,SHA256=C9D0DF34BEAF49E60B0C519E76C65D87C2775795582BB76B1968271B3B7082E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:33.052{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78AED8D31E2A170C5ED9F13AD4EEEDC3,SHA256=DC05F70D64C6D616691A85B5482D9ECBDD99E849E79782DB546FA6E145CF00DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:33.052{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9767922DAAD739BF0D0E3CFAA4A565B6,SHA256=C8147B49541DB138EED0AA1B47C31AD39DB66CD6B018EB83A1779B4EFDE1D816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.992{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261B60C5555B13CB00A2FC8E2EC1B460,SHA256=FB7142269C98482226D3D064E14666DDC104BEA94B70947F7E0CD6849A3A7BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:34.208{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C780C17471AFAEBB21DC14A8E7731A,SHA256=5841D57D61F06F86DE5F608A56FC56572CDC7CE0835CC2CC6AE2A92E4F580696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.774{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.570{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E886F24F4930778C415D4C77AC679529,SHA256=DAAF9A267CFD67D9125FDF27BA33B7DE2E0CF8D33837BED1F3D2DAF2E111BBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:35.239{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8DC7179A9315E87B6E4A86159CAED8,SHA256=7EC83A662E6214148FA7B258570528595F08654458BFD8F7D18953F93131C604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.789{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D128C205B3F32CA3ECEAF7B37BAADF,SHA256=D68CB1FF179A9327EB145FCAC589125CC30079322C1367360F402BCF3746DC21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.632{6F8252D3-7827-616D-BC06-000000000502}13164040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.446{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.770{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.320{6F8252D3-7828-616D-BD06-000000000502}2748328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.118{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.992{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48BC8A0F96CE805D08031E3CC91752E,SHA256=3E8C5EBD2F525FFBEF46122383AF988521F4F671767F6723A8C4AAB84BAB25AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:35.003{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58950-false10.0.1.12-8000- 23542300x800000000000000040688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:36.239{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16605B59BB9E1B76C4787CE25E505356,SHA256=EE4209AF4C9B55C31FD43976FB8ECB712ECA1D5D920297BA5FD90FF49C1882B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:37.148{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C8596DF254157F5DF170BFF1BD91DE0,SHA256=FC215A0761E23F1AF1B26730E946907FC620FB7EA0BF7A7F5653EAA75A53AB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:37.007{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436D23DC1521C11C3CD043B85083EEC9,SHA256=85802DB72EB21DD5954927F04C0C366B147C4879857284F3033245EB71825B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:37.255{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E46046C4F2D29485253E74B8D99970,SHA256=A754BD970914624DD18873D7E72F2210AA22D6CAC79D80D3D8870251AE490F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:38.286{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD168063D7B81F331198EC17F1851DE7,SHA256=DE71DDBF4B853C058FCF8C21887C8BF353C6E4426E96754AC0A765EDB05A3459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:38.039{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B088956DC754E4DA99F77DBF62B71796,SHA256=E06E70CD322B8AC9A4BCDC3CE12C54299155D95A2C9F1488415FD2DDED9D191A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:39.302{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39385D4A7C7660BD7C7016F8BC3B1185,SHA256=1CC7F5262B11A5FAD24E3843833A26EFC609DE2003700C6E0DE778D40F41CCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:39.054{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BFD10749775E4EC10733CB7DAE832C,SHA256=8ADBADED87502EFDA632CBC1B509BB180980259EC7638861E704D94F39AEBF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:40.333{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C4523FAD7850FF4733FE507BB61691,SHA256=295B357CBA505F44B2FED422E2B8642145DAA70B0706E81530F28DF3627C7519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:40.950{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-109MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:40.070{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D167A0C61DEADB02F9E4892F5471D23,SHA256=DDF58F612D9D56FC44AC3782E521B2FF102A2E9647287CCD882A8618946E2FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:40.066{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58951-false10.0.1.12-8000- 23542300x800000000000000040694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:41.349{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC3FA67CB698FE5BC0895D5778B67C2,SHA256=0670AEB4A51432FABAA4873584042A27AC9EC253CE30E0F2C27A2A9E48CA856B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:41.948{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:41.073{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313A856AC4F67A95880ECE3F02E98E72,SHA256=8617308159C94A10B19C0325DB6566FA49FEC38084CC334A12A3A19EBCCE63E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:42.692{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726585AA579E530FD8E554D321A9F484,SHA256=2038C46AD8AD416082EF3B060EA02875D22A87C9A8830D7CE33DC575ED3553CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:42.692{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78AED8D31E2A170C5ED9F13AD4EEEDC3,SHA256=DC05F70D64C6D616691A85B5482D9ECBDD99E849E79782DB546FA6E145CF00DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:42.567{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3CE6C34891FAA24489A0653FEEC7F9,SHA256=2BD05077EED3C931B9A44B948B3FD725FF92977A4DC3D7B733FB9883E0AF0840,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:40.601{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:42.087{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9971C88C7C23EE908D40322951ACA30,SHA256=9A38C05E0930C500213DC7D281F9B502094F9774B7E4D6D307388604F88F76FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:43.801{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BC1B558EBB2DEA21F37345BB7D0B97,SHA256=22B5C151EAACA213890FE2B15D25E991DF7ED5B1CCECD7741953DB80B886584A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:43.089{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB139D7D14486285948E91CE5EC7D49,SHA256=335E992115A86768FF38625DB2251F81E356B344E3BF3CBB8D727A1642A14ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:44.105{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04C329C40EC9E08765884D001C4E276,SHA256=20EDDD2033447C74A2068EA6FA7A792D1E4EFE90C93C0A5FF7E95991C1FF7A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:45.105{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62A3C02965CBBFDC761B493FF48CBB0,SHA256=5007D31FA8509406928F085A96A967C0D4394179BE46B7E05ED49C49BB097416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:45.005{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90173415E7D14A85E803DD3331CA476,SHA256=EE3EB73FBC16A44CA59E96EDA4D55447F992E0871E0C25DBF828BA858448B6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:46.020{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C3C13B4D32EE8E8BDF7B4DF9BE75C0,SHA256=27B657662F15C3740F283B316B5CFC9D7E769163A7D4CF638EB556FD407A397A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:46.120{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F0F3D48FED5D979E19C48A58F93DD,SHA256=764A85E60FA0D56C8AB58C8BAA3B65601ACD7E9A153DE9B37E60390F7FE44821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:47.132{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0E18D19EFC9174C51232FE0B69B0F8,SHA256=9C2DCE221A412474E5A31E6F5ABF5435E0A4050F01B08DA8FA8849B030E2DDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:45.925{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58952-false10.0.1.12-8000- 23542300x800000000000000040702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:47.035{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EB24368F4A5894516ED3139D11BB35,SHA256=3EB2367FA1C6722ABBB537C43FC17FB1AE9E383EDC44B9D8AE62A4D5523C1026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:48.148{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:48.051{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280A11EB3FB243E4E401D567B5198749,SHA256=4BE44203FB1CEF9446650EA88A3DCE688A14BE64906D66DDBF26E14CAFE95AB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:45.773{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:49.165{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09912CEEF0545A401AE9329EB4A04A63,SHA256=AAD56252D77D0225FC5320E6552F860713CE21437F084483B7F7C18898C47296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:49.067{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06028C728FD931850C4D3D87BD258321,SHA256=8BB8C0ECAD46F4FC9D55097E9F25B5BBF6A1CAA3F4742B4DDA1FD13AE6B77529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:50.082{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8629B02D8C8E635287121059C341392F,SHA256=D802489869C751D55C10D206C03CF326ADFE83F8069ABF9647EF080C6E4F77DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:50.180{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57485397840B261332347E09E88216C,SHA256=922242EC292B3D5DA3360654BAF0F5F9FB0C9E1E4BEAB9BF860D3D55D7558A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:51.790{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2DBE0374B26E4520984C588A759BA8AC,SHA256=92A2EC70DADFD2531227867B734BD75708671063E4211EF0499AE2907FF0C079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:51.196{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B96182B98F6B04F030183FFD2363D6A,SHA256=F3D6FB9568A32E44A623A11CD95610832CE1396738F1BC9F4F4D91546E87E998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:51.098{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004985BACF4612FE5EB721734F7A2E56,SHA256=AB96FDA8938B41F4F9508488137C643931715F45CB5EA2B58152D31BC695FB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:52.227{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD758BEBC448F15C322E3A22729393,SHA256=E3046A6CCBF7D384ED27A7577D44AC152AA9043AC4C6B0AE1EC7F3E4EBC8EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:52.114{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37E3A0DFB6CB90D46DB528C1452DBD2,SHA256=44E9610841CB80687405DBC5BBFCBB7DEE16AB2DABDEF9A360A23D2A6D7F9ED6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:51.644{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:53.258{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB3DBD3C97CB317996C6B07DD9D36,SHA256=239AF3DE4161F904EF295BC626D145E733C753E88431B6319EB2C0C1B3CCDF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:53.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F281F972B3D73EE12CC0B5BABFEFFC1,SHA256=B4066CF74A3318392B71016CF1A7E098E21D071C5E1A00B6B981DE82C5D13D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:54.274{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CF1B664C28A109671DCC87FEE03D8B,SHA256=694F6FD0629B14D104DFB689876384CC9B5D07A7D4E1A4CEA92B97EF5D410FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.160{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5CDF946ED26625BEFA6F7B4F3A61D7,SHA256=E6F7B1D37B3891928C9F222829B36D00ADF893869A709387379DBF939A994DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4054AA2B09E3CB47DCF89D77A1695097,SHA256=376F47B602A841AF6BFD9FCFC427DB270B932EA745B395401BD51293DA2664D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8C7B3BF0150F777CC244FF5BA03E7300,SHA256=98DE8C70FEA7D627A9CF0647581AE3C5BB3B6C7842DDAC1048405DDC6C93ED8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726585AA579E530FD8E554D321A9F484,SHA256=2038C46AD8AD416082EF3B060EA02875D22A87C9A8830D7CE33DC575ED3553CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DE35EA9C58C818A77D6A5815BDB55871,SHA256=7B2E5DA595409920D6D939515F1171B8EAF84BA1E7F8472F72AF428808E3D6AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:51.909{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58953-false10.0.1.12-8000- 23542300x800000000000000040716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:55.176{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FBC57C8BC68CE1ED752D2B3B596D1E,SHA256=C264DA7E8FB7DB9EEC28898A7818194955CBFFE8C7C66D97BD84345E832FF624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:55.290{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFCE7D920CFBB91FB493841B40CB83,SHA256=A42DF885D751EB6BCE2F2E895BDD2160B35DEAFA71FFDBE580A1FB7EF44AD4CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:56.410{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E964DE5FBA0984659D0F6432D421F,SHA256=32080D0DF7E1FF18C04BD8B58551313A137CF81A7981CD8A147D5CF96B0E4D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:56.305{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A797275388EECE1282E06442F8D7B,SHA256=00DCB5487BCE5B60CF1BEAE01C1D90DE7E48AB285D1D6268242797FE5482F052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:57.321{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F386B2863D018C6D83648FCD6DE6BBBA,SHA256=00C990AF186CB6382D8E4E901F31A93E89CAF617E5ADE6564B292E416A86BEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:57.426{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEECBE61AE3B6A782C16C3CF7B2F3F0,SHA256=DF8312893129A6DB3FAD8A2EB312EFB33FC380F1C8D2EC6CBC04B55D367A027F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:58.337{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFFBCEE2B7ECFAB03E23E73EB55E1BC,SHA256=097A057DBD6ABAD55C3042AAE9745B85FE5F3927CB10A79AC1E5E171E5547CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:58.457{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC7E566301B69258C8AD55DB48DD924,SHA256=B1EAC981A3F4939276EA3EAFFC5883C0B997CA099BCEFFBD6B8F02C6EBB2A0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:59.457{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A0877F871B5B2FF479D94B231FBF79,SHA256=1FA44BAF26FCEC8403107B12A5B5B6418C99C56DCC32849F2F675AD77AFC771D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:57.644{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:59.383{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DE8F2554050C6AAEB1FC5F59EE5032,SHA256=322D314D3DAE11DDF83470C7EA0483F0CFFEC3E648BA72E9FC9BDB6F4893A033,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:57.003{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58954-false10.0.1.12-8000- 23542300x800000000000000040722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:00.488{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF168B1A27C4F82F0130455DB11FDD9,SHA256=B1A0F74CA9F17A8CEFFC94FB3FE92EEC7D5C38AEBAFACCFAD20E069647DD76F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:00.399{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694689F3F90B89E2FD05DBB527967A90,SHA256=6D51528067B8D600034B9E55A3133FCB7A536BFCD1EC75068DA7CAE6C9A57C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:01.520{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D16DA5FB8F996BE1FBA23C3627CB8F6,SHA256=13C0FF6C1FEB0AA686FE8A16768E7CCBB51AFE8E13E9E37BF67D82E911CEC414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:01.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0533DCFC96996F0125E89654A59AE30B,SHA256=7A22A0A0A7394172690420183158781A689D0079E3CBD6FD70736161901087EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:02.754{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FD20F5DCAA546A4D194B95F1F5564B,SHA256=C5D75486E37DDA31935B14A4A329BEFC74E08FAD20F5AF9770F56ABDC1DDFDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:02.446{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD58E5F95481C82CFBEAB12BCDACB207,SHA256=846F07DFC11530B495853EF62BACAB8C19229CA775F20B6807EC6D5887B0CE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:02.676{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=672EE76BEAA105A00B74D3D0A9A66BD9,SHA256=2D74EE8E2332D4AE1B76AA86D485E9B6635EB596B3EAEA5B7ECBA87F779035DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:03.785{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305BE6BEB8AF81CD1FAE61202DC94FBE,SHA256=914DEB665924FBC7B7991F86CEC799EC9ACAA3696FCD9EC08746E1A708CC6994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:03.493{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F222B61B8F74EED40CEC29EFF6352C,SHA256=4893F0E69F38018F29B52A23FDB3D72020F4F1A5C8E4BEBA28253C959C6285F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:04.508{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDE711EB895036E028BF0691156BCFB,SHA256=2C45FF4E01FDCD0AA18459C05074ED774C6ABA3DFDF6E25CFA386B6BD29CA8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:05.540{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A200C3C5079D0E90CB926C65BFFC82E7,SHA256=B5F01CE8335AD01902ED38CF65F811CDA67E8F5CB81AA492ECE846A23C23312B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:03.051{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58955-false10.0.1.12-8000- 23542300x800000000000000040727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:05.004{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E09995B2604F7E4372B3153FEB828D,SHA256=7103FFFA03AAB4F950AD03B327969D53194E51DE8C6EA6848C28870EC120B72D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:02.784{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:05.290{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.76.146-63813-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:06.571{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA12F455D33998E98710C6B3A88E1C4,SHA256=2B3C19740E5212DD9294E4AE4F01C1AA0AE692577240330D71EABFE4557E6113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.973{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.504{8D4DD44E-7846-616D-F808-000000000402}45642404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.302{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.020{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F5AB981E002658C3BD865533602E75,SHA256=701394EE7A7E833B9B18167049672C041903A5FA26C6B1D4F0D4D1B04B4EC598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:07.617{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17F035A33421AF422809A3FDED5AB65,SHA256=01030AE14BB95017686DD7B85DFDEE45E9355D0C7BDF94B7C59F45D2CF5FE43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.644{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7847-616D-FA08-000000000402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7847-616D-FA08-000000000402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7847-616D-FA08-000000000402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.629{8D4DD44E-7847-616D-FA08-000000000402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.316{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C7346C532E2C91E784DACB5C99D3409,SHA256=35501AF27C7455E65EE194B6D36B8D00A3D878ED829D9D5CF23BBD3BD8C92DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.316{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4054AA2B09E3CB47DCF89D77A1695097,SHA256=376F47B602A841AF6BFD9FCFC427DB270B932EA745B395401BD51293DA2664D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.160{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C682B92924231418403B1448EB1CA5,SHA256=AF126B18C7A3FF9D67682674769B5A75C1EBB77E340A0853B75CE2F286A45DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.691{8D4DD44E-7848-616D-FB08-000000000402}32402192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.628{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C7346C532E2C91E784DACB5C99D3409,SHA256=35501AF27C7455E65EE194B6D36B8D00A3D878ED829D9D5CF23BBD3BD8C92DFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7848-616D-FB08-000000000402}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7848-616D-FB08-000000000402}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7848-616D-FB08-000000000402}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.519{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.520{8D4DD44E-7848-616D-FB08-000000000402}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:08.331{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0255BEF3290BB887D2EA577940A7B82,SHA256=F7DB3C3E96646C6680642B67D401FA6E212B4653B589BC9C3591CAEBA88E74A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:08.633{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBF916147CD54F320A53162656FABE8,SHA256=FEBBE9ACB909E97AF37D66194ABCD8739CEC5168EA5C6A8DF693122C48D2CC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:08.289{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:09.648{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD3691F4B8BF9A6ED3B290A7B5D0F34,SHA256=1E0F3921B7FAE2B030D1C0C6ACECEF6FDF258A1DE53959D21F4D7EFA80A9FF0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.502{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58956-false10.0.1.12-8089- 354300x800000000000000040805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.736{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51829- 10341000x800000000000000040804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.566{8D4DD44E-7849-616D-FC08-000000000402}15642168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7849-616D-FC08-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7849-616D-FC08-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.409{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7849-616D-FC08-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.410{8D4DD44E-7849-616D-FC08-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.347{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B297602E981436F3EBFF4E9760F9821,SHA256=C9ECA56855471DB38F3EC7BA3CA957A487445F231BEA4E3ACB9779B1C27CA2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:10.680{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC525A686596ED4C31DEC0B19F2968B2,SHA256=37670B3ED456C05D94C954C37FC34CFC08E51EE1EE68D9EA0B65F72BFD68F5A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:09.033{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58957-false10.0.1.12-8000- 23542300x800000000000000040822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.441{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6CF87B8695233D1A1508274B82D19EB,SHA256=8BFBBB8619ED43232A4F3A835DBBFFFE11F51BF5FD0D6DDD3B892CA6CB969114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.441{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BEE5CAE347E1FC1A89937F7B97B881,SHA256=06C72CCAB483ECC68BA8C3671466F2CEEA0139872D9A9984C80F882AA14CBAF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:07.830{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000040820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.253{8D4DD44E-784A-616D-FD08-000000000402}19005044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-784A-616D-FD08-000000000402}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-784A-616D-FD08-000000000402}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.081{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-784A-616D-FD08-000000000402}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:10.082{8D4DD44E-784A-616D-FD08-000000000402}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:11.695{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1491E185C23AD260063C32C5D5A4DCF,SHA256=3F3557B832709D2616E7D052309F195109B3BBC4452F51F9F07EC0BD6898F9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:11.550{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F9FAB4F4C57B1F87902DBAECB46E5,SHA256=9BA1EA0412DD5E23CD27B31F99700DC80C506C0C8AB1A1228120046B6E82D50D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:08.815{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:12.726{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A27947598696673A5EE6DF8D4FE3841,SHA256=5D80EE5ABB30895A89F5696C88D1BAA2ED7EC4CFEFAA6F4EEB853F70DEFF0738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.597{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653A786B289BF67E0190F66EB91C21BE,SHA256=DEAB8B5941F10F3FEFF78B912EA6A4572AFC2EA790C2538C045BB5AC41560D73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-784C-616D-FE08-000000000402}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-784C-616D-FE08-000000000402}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.081{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-784C-616D-FE08-000000000402}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:12.082{8D4DD44E-784C-616D-FE08-000000000402}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:13.742{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409631529FB0579AD5EB59506B4C201B,SHA256=41F537D7367FCAFBDE0707517D9585CCD0345B5B76B432482565F95DF6944E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:13.644{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05ECBC139377C9AA64E4E6F55C99D1D,SHA256=246D96614E8F62254E1C16AD931F830504396D1230A6CDAFB42ABA2BC2594199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:13.097{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B9DA8AF52FAE9D930E71C609974AD1,SHA256=51F83EDB693645DA7EB17E1BF973AA5D574F2C8E5C610571D8D5C9B72CE21A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:14.773{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059879DF4AD65DD7B22247B90FA8552B,SHA256=4595763C0EB52AD4EE255B1462AEC3F02B77BCC7FB2F792295ECA753009B65E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:14.722{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC44823B579A98D7D5B7CAE3E51F5868,SHA256=08CC08B2086E71CB696AF4F8886EA111DACC754FCE392FD9C0EF608543D7719B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:15.941{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C96510B6D283A3E9BFD34E32DB90AF1,SHA256=41CC93455785D2B82BC16C8B63E96191328ABEEE3C525D8A5965F5BEC7A7C457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:15.789{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7631F2A974FF4155A53580B1771E09FA,SHA256=AE86B42F5C903C6B2010D63B351FAAF62D9BD39A0DBD4AC9FBABEAF0F9E09A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:16.804{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB396EF1E2D90EB12773ED6467A0ECAA,SHA256=291CE2A169E0C1AC98703DC7CF2468B9B231EA1C3859C08D567685DA07A10663,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:14.080{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58958-false10.0.1.12-8000- 23542300x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:17.820{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A25164D4A125139B6870ACEBA830C53,SHA256=0189A22DABE64BF5013DC390BF3E72D2962CB17C2AA06CBC2638B71E633466AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:17.175{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167FC63C0A4061ABA208CFB0F422D1E3,SHA256=2AE72E21C9E9152CEFA91DAF09B62B6DF1CC6F67FD8EBAA41C1C55F86E0C9AF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:14.752{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:18.867{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3A0B129125966AA7AF929EA57DDDBF,SHA256=4EE32E4FD76EBE7399858EE4531F5D8DC1C054BC4C8B83D01119A6F859C73C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:18.409{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD68A974779192266114892823B2657,SHA256=75228A41B12DC2761AB611A7E06E0335C2D746C646BC25F318E37AEF1F5E4F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:19.883{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685BCCF6EB74000868FD8CD420F050A0,SHA256=09720EEB4DBD19CC9FD92599A3CC918F1CFF47D480F4B51C141028B283FB2080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:19.488{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE80E18C7C178F84F32FE1614C377326,SHA256=28003210978EAE358FC7FD8D321FE0B4948B3C1A2C061C2B5DCC1274BB341FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:20.914{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515AE0DC51B84298E3F037D2DA052EE8,SHA256=4F0497BCC36D4A90612039F272254B461A5B0F561DD4BD94795E1AD221883A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:20.772{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-118MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:20.489{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9509F91CBA2BA23792269D576047E07,SHA256=AA98BA2D902EC3A71C27DA8186EAE476E97814A0F413D9774DE59AD6B744BEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:21.945{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D5A27682E186380C7DA612F15BDABA,SHA256=1FB7FD56B980E7BFCB05CC755B5BD12BB8465F9430218F9E52CE832D2D7883E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:21.785{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:21.503{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4684ED17F659321978516EF42779986,SHA256=3CF0663A581B2FA9C6B09D67C704A9EF98248A48C3177C6786A83C497EE808E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:22.976{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010224F4059147E407D177CFB580A932,SHA256=6FF8EB760D5AA87E9AC2257E0C9ABA9C8F2A8A1CE6735053E1CEDD308CF0886B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:22.505{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55E9A17048330D33044B4808750BD59,SHA256=05B41F191F37226F04551A07E514FE4F6A9D0C02C7107008C5718FB3D3DC715E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:20.752{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000040851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:20.111{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58959-false10.0.1.12-8000- 23542300x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:23.992{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCA4EEF86E480DAF666D60420F22DC8,SHA256=35EF31391515478E7600E558160453E2A0E712A2B19551C585EFB26B352C3139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:23.520{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B132D870218228D21C2087789D5FDD0,SHA256=029337B8FCB2420C7C5C431201CE8B93400B4B1D820ACFFE1E3FB53AA150A5D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:24.520{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24C59E03BB9503FA06521686BCBDF39,SHA256=05A114C36B7FA4AF6F9AA6A4014DFFAF72774CDE046AF1D8191316B30EE45BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:25.536{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60BD6BF5E1FCA854B7B5A9BF5749AEA,SHA256=C7C787313685832E008BBFD6A43BC356B33B72385F510FA2FAB60C18DFF8470F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:25.008{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A28B83865139A5C6AA46F2E7D90163,SHA256=22217894CC3EA93C219DE6380AF09C25E6446B4F55573448DEF1D509122F2D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:26.551{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D415067D17744FAF932F52FE9A6FC,SHA256=448DD3870C3870F39D7661ED7805424B01B4E5F06E9D3EFC2E46C05F2041DD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:26.070{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33A3895DB1DC0228B363B765ED28F5D,SHA256=FD5A186A1FF3468D0F6797DBAA9994EE622063C3898D6E2C1C8046B669CA2623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:27.552{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F4346E88BBABB49DACF1386C3B3848,SHA256=CDD530461CA4A7D978BAD184DBEBC98B8D175E657275FA37E427B9B5EB5DEB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:27.103{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35825E8DA851020CC6231F1CD1393A0E,SHA256=038D51870A28EB23F06BBBC792393FBFBE70359B067E0595855EEB77202787B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:28.708{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A961DC70449D0BA0A8AFD09945A3FB3,SHA256=73F65BB182E3F689E5EEC813BCFEFCC7EBF437FFDD1A6DEE9554A14F472F980E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:26.753{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:28.134{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B607AE9C2AD88F3804FE94CCEA0E7C7,SHA256=F66F628774BC189C4B2BC94302DFF4F4464FD60886F607DF7518B88EC82B5065,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:26.081{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58960-false10.0.1.12-8000- 23542300x800000000000000040860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:29.740{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8739E3101B687B31818C2352BEA356AC,SHA256=C398C979D44DFA3A11A30D316A965DA288E9A4A4BABFE5762B19B6FBE9FBF1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:29.197{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC21ED03552C7313F0C5E47BB32D3E58,SHA256=918739D6ADEB54EEE74B2154E77FEEE2D8CBBBC5BE9AB98EBB8289A7A560A7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:30.771{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18023360BF7B2E7462E648286B79012,SHA256=C95E4980254D1C26280CE0D193136B6D5D5DD81E04FF25F4680D59CC41B7A97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:30.228{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1154AA5143A812416D4D8E16ED453A,SHA256=A0C5EEFD1D4F8E0AFE5D8BDC95C91702462AF9F197A1AB0438BE9EF5B6795C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:31.833{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A386F7285D20A96BBC53DF6CD9AFB9F,SHA256=484FD153841A764712492966780D3A5BD6F526C516235418AA446CA763DF8B08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-785F-616D-BE06-000000000502}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-785F-616D-BE06-000000000502}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-785F-616D-BE06-000000000502}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.416{6F8252D3-785F-616D-BE06-000000000502}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.259{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A946040FB45D1043081331CA2F261B3A,SHA256=C5C3BC97478D819BAA5B25AEFDD8D04478795115E0E94C63A6D72C8830E7B096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:32.849{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5896886551AE4B808D737F5E8194D6,SHA256=DA9819C80F36C5AA28F542D92898F6E312BF1D801EEAB14EB66595573BC11C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7860-616D-C006-000000000502}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7860-616D-C006-000000000502}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7860-616D-C006-000000000502}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=735483E972F7E94F3926C274F60A2A46,SHA256=865532F8CE95817E80D2B4B160B42B31288B8A9F014A730F8C20D1F66C62BC6E,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.731{6F8252D3-7860-616D-C006-000000000502}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBE4A8BC86672DCDD721BFED7A58EE1,SHA256=5C0B43B17D2D9F55EE0606EAA65C8DF5EA8B19193B31FA87141E41A0C60AAC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.728{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=823F421797853196D707048C7B8B7862,SHA256=129ABBFE781C451249B0BA189D1FD3E74C25E602D791A36FC11E350CD4912192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.322{6F8252D3-7860-616D-BF06-000000000502}3544980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7860-616D-BF06-000000000502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7860-616D-BF06-000000000502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7860-616D-BF06-000000000502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:32.088{6F8252D3-7860-616D-BF06-000000000502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.791{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=735483E972F7E94F3926C274F60A2A46,SHA256=865532F8CE95817E80D2B4B160B42B31288B8A9F014A730F8C20D1F66C62BC6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.728{6F8252D3-7861-616D-C106-000000000502}32003216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7861-616D-C106-000000000502}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7861-616D-C106-000000000502}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.556{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7861-616D-C106-000000000502}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.557{6F8252D3-7861-616D-C106-000000000502}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:33.338{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDB2A1C278793AAF6C53AB9127B94F2,SHA256=A5EEE5981E54BC2851AC22402223A8DDFF34654A6DE9223E4D47B7357742AE31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:31.926{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58961-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000040866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:31.926{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58961-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000040865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:33.068{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2088C4CCDF708425002F972B9EC12E66,SHA256=2D48E6BCC6FAD8A0C8E95D9F3E7B5AC939703048A0795626778F0F62985E2324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:33.068{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9262154F869797F6554EB096493E86BC,SHA256=80FF849FDBC1E9CDD450F7DB92FFB258B6D43964FAC87B1E85D552E1E5C15C62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7862-616D-C206-000000000502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7862-616D-C206-000000000502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.775{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7862-616D-C206-000000000502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.776{6F8252D3-7862-616D-C206-000000000502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:34.369{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65561CAEC73D942D0116ED59E9E94307,SHA256=9A01B0AFBEDC07470F9E0A1274E2DF1DC7AC4FBE9C646AD495EE2895627999F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:32.004{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58962-false10.0.1.12-8000- 23542300x800000000000000040868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:34.083{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBC69A80A932BE6F2F7B13464911F9A,SHA256=11A57777946B057CA3183FADAD1FD7BE13A5FBE1CFE5E5B6B002B0BEF6A79205,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:31.769{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7863-616D-C406-000000000502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7863-616D-C406-000000000502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7863-616D-C406-000000000502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.838{6F8252D3-7863-616D-C406-000000000502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.806{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F72206450F94CB676824FE4DD8EBCA09,SHA256=1889469B68983416694057D85A0E412912FD445C8B2EC681408A2A1A55B6A889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.744{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51A46527574C57CADC95049931B22F3,SHA256=D438555B775EB8294ED5DFCE67D83AC90C15285438ADBDE6D81840AD7AC84769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:35.099{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA9116B64715DE70B2B83F2837555E8,SHA256=B7AB05CCBBE2128C9159A497884340D313D9CAFAABFB40779680441D14AA6A02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7863-616D-C306-000000000502}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7863-616D-C306-000000000502}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.275{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7863-616D-C306-000000000502}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.276{6F8252D3-7863-616D-C306-000000000502}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:35.025{6F8252D3-7862-616D-C206-000000000502}36361052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:36.900{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04DC7261D346BF30B6616F2952B1483,SHA256=E13A5683E0215C9BA24DA2BBF0B767EA3323D8F3619C5CC1EAEB2893BDE4110E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:36.759{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1D8995518F62A98FF8343E18ED3A98,SHA256=E91BA3D842C96A7195FD7ECFD1EAAC9BB6C8B0C2DEABC869BD3D6BAB6D38EF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:36.115{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86BEC949A8A9EE348410DA8B53FE2CD,SHA256=AA12577CABA957CAF3472845D3B27F4D3A9065F0EA47C00E08BFE176B9039B65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:36.009{6F8252D3-7863-616D-C406-000000000502}1852360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:37.822{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08C71057C95554F872060587205EC11,SHA256=BB143724271CAA12E0EE88D3BEBB8DC14ED0607BFB145B7E6502953462FF7DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:37.146{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C77FA8183C5002F7CC8D4A1C54510C6,SHA256=082FB8397AED9664B40807E7E6F51DF4824528714FEF6C3AAC364D7126BBD7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:38.838{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7378A718DFAF10F1F47C6F70E227EFD,SHA256=73004DDEF0D909F5EBF6BC97406A28D9EF85596F0059A533541CC0441353E796,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:37.098{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58963-false10.0.1.12-8000- 23542300x800000000000000040873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:38.380{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F8EAB3145936AA9B03B3031B9E25B6,SHA256=CF0F85905D4E2A6239E6DB2EFBBA6D874A93E2885FD9F00D5FDF080ECA0D4816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:39.853{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:39.411{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E463BD621DE5D1D9E2F92D0B604F6DF,SHA256=58AC2018FCCD57E82FE119B1AFB37D365620E5C47593059F0F13AEEB37A07486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:40.869{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA6FE9A2D6E974582836AFF6B1AC849,SHA256=6466712520EB0899FD367CAD99E515F2DA88DAC5C7E8F5B4EC6221E7869DFAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:40.630{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D47CCEF6BB0B356C7D6CDEB252224F,SHA256=56763BAA7EFBB90B7A37477AF7ADACEA897A2230DB4B5BC4CBF9717D4707AAFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:37.800{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:41.884{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284268DADC74463A5963721E4BD8C80,SHA256=233D699BC8762A2869B26062ED267F45AF5D58299E130032208BE3258D7B126C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:41.677{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93118A583AACD2F525C0DB0879BB122,SHA256=BEF63EBE87059D74F35AAF647D988F6E2612A4E620232CDBE553625035EF9662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:42.886{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D7B9E24D4F27C3F5991F42C7241C18,SHA256=8D30440CDE795231493749F740840A6B7867503F7675B0FB44BE0CFACBB67C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:42.708{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9AD405AB497B23A0357CFF901467858,SHA256=5D0BB1D950E1014074A001060F07286CE5068F017081F9BC75DDEAB3A0EA177F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:42.482{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-110MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:43.740{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB249A4D72A71DCD5C4775EB708B1D80,SHA256=3A260AF291734B09E927677775663E57D765E80A4DE4B4DA38B881FFC1353387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:43.915{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12574976EBB2EF080DF4FAF9A68AC533,SHA256=D20A03DF9C5D2694C9E10636EC319FF152643699959C773DA6D04E3705FB1EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:43.496{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:44.918{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66B46F4FDF5DA04626BC69D16F07640,SHA256=E069298A4DC70A990E29A4A49CFF6AA0E3803A2820A768EB6B2621C9C97EE0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:44.786{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF10DBEBD99A6F66A2FF35BDE4658C0,SHA256=8F800DC0A18B1CC5BD3C15B3E4D05D9798D85724E00398B79A9282AF4EBB3F2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:43.051{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58964-false10.0.1.12-8000- 354300x800000000000000040883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:42.383{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local49872- 354300x800000000000000040882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:42.382{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local53010- 354300x800000000000000040881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:42.382{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local57706- 354300x800000000000000040880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:42.381{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55138- 23542300x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:45.933{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2075EAA6A5FB8954FEEA723B6861DA0,SHA256=0F1230888D1CE9E3C2A27B3AFE1454D26437D1CBDBDFB5EB6EF35B5DD6808571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:45.802{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E156882932932330FFFC83D5510685A,SHA256=F191F589312763711DF60E0E40BA73CA7CD1F9E2C403A88569AB10EA358B57CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:43.770{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:46.950{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEF14A9C2E969FB400DD51737791039,SHA256=8FC65D16975BFD66D545B221E0B0ADA4BC94741F21F1B04D205CB651E64F7FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:46.818{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77B6D440056707831CBC331538C62A8,SHA256=F1B10956498B571B1CE2C62C93881166561C7D653885AF4E2F4EE314D3651923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:47.818{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33971D9FAB079DF90A276D7CEDB73DB7,SHA256=053EB04FFD347D74E6BDDFE26BD992BF9FBC89A3C0E90B11D2CEEEBFB1CBCBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:47.963{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5851A86BE6BF57C9045AB18F038D24,SHA256=75C0DAC29AE0EB746995FCCD80E38BABF35EB3E14559C06FD37C85CD446E9052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:48.978{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0202DB915F56EDAA66611A9A72E06E,SHA256=74EF87AA82EF3B12AAD0FCD2AE33FF4328B728A2D8DAAFE759BAB0EA3A573B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:48.833{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9238C33DD77DA1E148C5C20D9ED76EAB,SHA256=C50980B475EC5BB93C431F7EBF6A43AEFAC8EDDA0297F2BC2E5E1409454F4271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:49.849{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E189E3652EB96FF8739E77FF561392B,SHA256=249E4D5FD92D60D67412E5BE9CF6FE7254140BCD2FDEF255C04A8E316E735704,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:49.035{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58965-false10.0.1.12-8000- 23542300x800000000000000040891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:50.865{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007DCF012169CEE49CDDADD8A46DE962,SHA256=095BE6B148AA3BC8AF562F832FC893F66A89FCCD68F24780CC42FF3AC10B9DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:50.010{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630088ACBA8D713F3D258AA219FA4F78,SHA256=A84F938E467200CE27296DB0022D4E3E7696FAFAC2F57BA5063D75BC77FD49AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:51.880{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2211AA61050DD22F0127B4C5C6C7BD4,SHA256=43234BD640D8FB731EC72422620C0EBBCEE864F4CD9067045DF3E25215B6ECBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:48.815{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:51.806{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=31D210BB0B7820ECEAE07E8E669C6B89,SHA256=6B060BA3D748CE356009DF7AE1EAFE938712AE9DD408B10AE9A9C4C6AEDADBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:51.056{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC1E5BC2423096314775DE87C0F96F5,SHA256=FBAD42160411C18457569692763EE540FA3266933C4E006520AB5C2031E1EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:52.896{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FAD5B4D1EEF66BEE33F229E402A66E,SHA256=3BB19BF304FB89BEAA90C1A064FA1ADF9E9A4F2B82785143A38C8B236229A00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:52.072{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8405ED16F170129E6205DDFC44429B,SHA256=AB381E116ED629A4F71A2493BCD23332240B71713A63981AFE554E79C999A272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:53.912{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10E34BC49B64785134F330853F9A33A,SHA256=8268F54BAF53CB7D365EC1410FA98465E5A8B313F6CC19BE8C11E305BCF62C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:53.088{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444149516DBE3A2274633AB1170BE17F,SHA256=DA4408067CED4F979E3313C3F62AF4064D3B3153CB224B9A5B05BE210666A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:54.927{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3169D583E1AC197A6A27CD29E9C1D75D,SHA256=281522201057E19C43F68E8E1056E887F939D599AF816D2E2598D0D9EE0F080F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:54.103{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE47B21D055968ADEABF39CB1CEBAEC,SHA256=F8F586899BE7BEA7563147197DDA040D05D32A63086E1ACA71400974D7E7CA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:55.943{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FEE04AC01AA8523D2F71BAA591A018,SHA256=6C1F5990DD155D8478CF79B2FB5472E92BCA661E4C0B00D90319D2FC442C1FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:55.119{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF091FD859D739D17822A68782CE2B3,SHA256=2FF2869B5B289699A65B9BC97988A7BA125B8256C30153AD3ABA61A508895612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:56.958{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107D4A1B4FBF7BF85542E5116217D79C,SHA256=FE7D18051A1CA41722BA20B8468F327F5D85A433F466F3D0A9AAE7DD8F9FC573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:56.134{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739FD17C4ECD740C50D3CD5D82EA3353,SHA256=5F416B16C96249D8580CB80FD0CB35B8FC839F58CABC76ED24B00B095176BBCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:54.066{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58966-false10.0.1.12-8000- 23542300x800000000000000040900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:57.974{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95C63FBDF1AB8D6B2367FC842F8B433,SHA256=6BACA324A967B4161F502EC90907E2A32BEB4D6DFD32D6D68A5731CECE0E6BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:57.213{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905DE6A9430B0BF624EDA04A05B9ABA6,SHA256=DB459A2EBBC65C20468C233CBFB0A13856E9159EED38B608F07ADB2E687F07A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:54.706{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:58.990{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B58A490355016C84378D215A39B7F3,SHA256=B4D4B6A15569D09B26E820D53E0691B53F63075D0AC57BA77488F01DEB9C992F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:58.228{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A86631C02FA730AA8D372507ED209A7,SHA256=6B88D9E07161B96F30536C029F50E278A142B9DA41D3CFBC7759C66F1A71956B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:59.259{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FA6C8A2C89F9EF5202303E29658276,SHA256=17EEA0F9D22BE2ED61572DADC2FB615427D3FF0F3C370AB003DE0942ECF2FA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:00.275{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B544C68169109CEFD3832B7EC851E576,SHA256=5554C31ED388B34360F4F8D8D587793DF72507C6A1691A5125D08FB5A63D63CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:00.005{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59438EE0CA6ED83FBA161A9B7E5E9197,SHA256=19613AF82B90F9BA38ECFC76EF17944A5A7FF7E91BE8FA2A6BCE1EAF65F9917A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:59.129{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58967-false10.0.1.12-8000- 23542300x800000000000000040903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:01.021{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E834F1B5E35AFA610A143DCD75F48BB,SHA256=AC4167AD6CB6D83AB458E6E05452226736FCF281E20ED770E6233AD3ED9811D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:01.291{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DC23028A8614594E4B7BD982190E44,SHA256=D0C0EF2024B590AD4F7CF530DED4226E44CC170A508F21ECD45D8E72C86A5DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:02.306{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B785D051FAFE440D27864D55D31A9B,SHA256=E7E52B6A13DCCDBF60B292267E93D497A7A955722C7D032E90E3D4DD2114A388,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:59.784{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:02.677{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C521FFCE281755E801184C77A6E5A03F,SHA256=AF250DC759B9F98B12BA65E41E3215EF9A12A8FB0FB00C0C9333342E0F8F8FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:02.036{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F853655A3E1106C077B7DD180C1D34F,SHA256=B7DFA964AF3467425091BE243B1B5B3034CD4DF9595D16B3F1C67E80FE711A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:03.353{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21364C6235567511018089DC55FCEB4E,SHA256=9FE7B88F89D22B1E441D58421831FAAFCEEB1AF1544194B7E3F1FDB25638FEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:03.052{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A086D6A3F44C1A836AE68B62494C3C9B,SHA256=8B6320B2405E80C4661A5CF977203EC6E5D7791B3D37F05AB23F618E3187CB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:04.369{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C35EEF0C06D13C5BC8889658366026,SHA256=36C16F98837B0C680AEC73CDADC5E44E3648DA42C418981F048216966EA34400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:04.068{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E4A34A83F523351CA6D9A44DF7413,SHA256=CD12B448469D752CDD089954BE7FB2E960BC5AFFAC076641C1D1847E5091F146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:05.083{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA8E399D0169BE2447BD08456211905,SHA256=777689601B2CDFD9F5CBC27DAB1D2C7104D27B185C2178A2DBE6559D68C288C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:05.369{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D799DB1A518DF8D80C77A08CEE399D63,SHA256=528587F77301574026CEB84047EFFD6E63C86E37F474282FAD25446101DDB696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:06.384{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF64A1ADD3CF51CBF8A69B3868627F5,SHA256=BA2126A9F70785C81A0CF2E7F7004C7647931720099C28D58A751F42DA354CA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7882-616D-0009-000000000402}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7882-616D-0009-000000000402}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.818{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7882-616D-0009-000000000402}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.819{8D4DD44E-7882-616D-0009-000000000402}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:04.988{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58968-false10.0.1.12-8000- 10341000x800000000000000040923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7882-616D-FF08-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7882-616D-FF08-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7882-616D-FF08-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.318{8D4DD44E-7882-616D-FF08-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:06.099{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2066AF9201951A97A6C4866903EBA0E,SHA256=ED53A59A7BB3F20D2F32B46B3C29958F168D8249F24B86322E80152CCD2F2908,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:05.799{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:07.402{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E343AEBD3F3CE87DA76CD80E5C35F8AE,SHA256=0E8E42AE96FE08D72C55748591EA8D524305ABEF2BB9796761B37167373BCCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.663{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.493{8D4DD44E-7883-616D-0109-000000000402}39923804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7883-616D-0109-000000000402}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7883-616D-0109-000000000402}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.335{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7883-616D-0109-000000000402}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.336{8D4DD44E-7883-616D-0109-000000000402}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.320{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3B481CF07CD8D6A20C87153E299160A,SHA256=C4AB8E48DD8E96A5CF88DAD0F09058900DEEAC3934F84D4EB1969E3BDF2526C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.320{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2088C4CCDF708425002F972B9EC12E66,SHA256=2D48E6BCC6FAD8A0C8E95D9F3E7B5AC939703048A0795626778F0F62985E2324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.195{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25899F4EC6BE2CB2B03A41BF350EDD30,SHA256=12AD09D5937A1E04C8AC7605AEEE09A4E627AC9371E1C363E95911C8F8522BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:08.402{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98889F6DB7EDCE9D5F6A90EF099DC57,SHA256=30AFF4678448D825FB0F98674EB192C79C82DEC502326B0E47F66BF6D076B36E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.632{8D4DD44E-7884-616D-0209-000000000402}44084252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7884-616D-0209-000000000402}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7884-616D-0209-000000000402}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.460{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7884-616D-0209-000000000402}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.462{8D4DD44E-7884-616D-0209-000000000402}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.413{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3B481CF07CD8D6A20C87153E299160A,SHA256=C4AB8E48DD8E96A5CF88DAD0F09058900DEEAC3934F84D4EB1969E3BDF2526C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:08.351{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5319193977965C873F8BA529702BDF05,SHA256=6F67494C7E01BCFD291038714F17612225031237226D35A6F82DB535B6261705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:08.308{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:09.433{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA889215D12D2979EF4CC831153DC94F,SHA256=BD1730E60DD89B8E1ED02121D08CE0ADC5613215803447035DA67B6D99DC1BED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:07.521{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58969-false10.0.1.12-8089- 10341000x800000000000000040987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.617{8D4DD44E-7885-616D-0309-000000000402}26604428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.476{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54EDB30E0E582B2C93B504379A0A09CE,SHA256=220530E3CE834A33E1A827837A82D0477B48E9D352B74BDAD3B0D9582281A62D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7885-616D-0309-000000000402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7885-616D-0309-000000000402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.429{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7885-616D-0309-000000000402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.430{8D4DD44E-7885-616D-0309-000000000402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:09.367{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857055EEC2E5E7A8A9BB193E7790F7A3,SHA256=3FDEE5C0DE3EE3A209BA0E533FB955EDA6D43D45E67041BE50FB2CCC745BA7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.726{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710995759E35535635F9F0B77FC5E12,SHA256=35FAA89B7B955A359BACA2D9C3F7A6014C0038D55718A19E6F88DECF53964E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:10.449{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4BF21BD8C4A2E0BB7364DD5E58821F,SHA256=AD3A0C2A9FBD5899DAB1A0749B66367EF75AB9E6ADA17892264646A304F963A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:07.848{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000041002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.273{8D4DD44E-7886-616D-0409-000000000402}50604992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7886-616D-0409-000000000402}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7886-616D-0409-000000000402}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.101{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7886-616D-0409-000000000402}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.102{8D4DD44E-7886-616D-0409-000000000402}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7887-616D-0509-000000000402}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7887-616D-0509-000000000402}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.976{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7887-616D-0509-000000000402}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.977{8D4DD44E-7887-616D-0509-000000000402}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:10.100{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58970-false10.0.1.12-8000- 23542300x800000000000000041005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.788{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2852736213E71E751FAB14A304ECDE46,SHA256=CAAE6C5F18760DF9B811A16B05941B0408848185BBB020364B4F2E84E33635AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:11.558{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720C2B8F858B938EE06DD91D16A5C801,SHA256=1ABC9C54A6C9FB218826B75BDDBC2BFC8D43A8412E1DC9115207BDD73BEA1785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:11.148{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2B814034DD340E487E6C0172531EF2,SHA256=381BEC85ED32544FCA62D08BD73169F6D07E9F9265A50020EFD3FAB3AAE17129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:12.976{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EBAB8333ED51049A0E8DE2DA63BECC4,SHA256=172BF4C736B9A381D96DC58A7DDD5FF1D525A2BD6A4A08AD148C185F25E20799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:12.835{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FA6415E96CC4FD0E153BAD97E9783D,SHA256=485ADA7165BCD2840E6632DFFBCC497D67CD6D254C62B17F3F1CBEA62E61A63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:12.574{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCEEF60098134D81C4E700DA5B7DB98,SHA256=ECD2F06D394EB0A31A96AB8876404482366C32E14F7712C1FDDF6FA82F563951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:13.851{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D825AC306B7E08A7D62E3A80EA79ABCC,SHA256=68098E1DCFEE419652F02C32FF37989932D7A9C034289D2EC55CE6E72F167BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:13.605{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8FFFEC23917FFF5FDD835FEFE79BB2,SHA256=874C3E91D6CC8FC3D6C2105C4C900192BA36ECBF16433E14F520665C78C6FF26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:10.801{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:14.882{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D14AF0E447817B86FE178A08EAA75C9,SHA256=72EFBCDF5ED1E9D4673CC62B14AF7CBC875D78C396F63171A7EB7A58A419D1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:14.636{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95CB08EA60FF59580BB8CA33FF16EFD,SHA256=C453A7CE625D1308CD54B1917ABDC09A4A68567AD7BCB853CAECB90A7FA64A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:15.652{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381180DF937C6BB56E02111E10B03FEE,SHA256=B9F861C06CDBBE18D65C8B93C38CAE3C94B8F49C82444A2DBCC1AE78CED68B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:16.668{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72F1214E491C8BDBEDD5496D85C8147,SHA256=458778ACABFD2A6961E67D188A78FDF24E520938D85420FDDA5531FFE5B422A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:16.101{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC4C28AE1D04834524BE54E2C046866,SHA256=7ACC15D2D8897A47B2027FC00573B52E2EB27C0E473F132749EF78EC71354235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:17.683{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312876537B84C35B8488BDC960FB89B3,SHA256=11B655AC788C1EBE927AE9D4A1D7DD76E4F1E2C239182F27AAA4C15E24554F89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:16.069{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58971-false10.0.1.12-8000- 23542300x800000000000000041025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:17.163{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51514E4581DEF7A4C0F76AD2653696C,SHA256=BDBB13B87515F65DA2854AEA628166DA23EDAD31D05AA1AE7DE74FA2AA365173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:18.761{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807CFC9CF797789A6CF33652EC507125,SHA256=BCDE283B46E3CC243C91D97707A9D8A77C6D1E027CD3E50140164901608D5672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:18.195{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A011D9CECE85C013D3C8F6D0F946A8,SHA256=80FF2B71309FFD6E672CD579F29413AF5DD09210BBC4AB79D038BBECCE0D937E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:19.777{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1AAC2D1D879357450E8FC2ADBAEF0B,SHA256=06C267BD13E9DCAE763A6C354D6053789CD806466AB8556EBDF310684307ECC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:19.226{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0552104C7EE96A3F852D05078019D6A,SHA256=5D6697C93A07378EAAC3D373D4EB3432393D098D2DD67F6F2242853E86357957,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:16.660{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:20.808{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2FDFA0DE3BBA90AECB789814891F54,SHA256=ED651445EEB0A0492DF600BCC79BD8F16B039FC1988D3BCC61669CE21598C501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:20.273{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E5722F547A50C0821BDF5A6D057C54,SHA256=E6E72238D5621B3549F059771072D7E266CF8F7D407026690966CD8249C2CEE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:21.824{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551283FDE4D73AE8A843CE0DC0FBB747,SHA256=368DA9D01758A0B96237C6C7346A1072CCDFB45CA37825AEA58D56B2744CE21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:21.289{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BDE593CCE1A3267560602C60514B5F,SHA256=EBE2675B3D031944718A97C98E66B8DD419EC886BF1CDB2D2B3D48C2D2B216AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:22.855{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8CC93BA296B787B4A6681432C54292,SHA256=1401034D7C2AD7491D986365303A505F8355348092BDCC150F2B93D81F2C951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:22.307{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-119MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:22.290{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C68B3B6CD45C7CE9374A9B7508CB136,SHA256=18C1ED9F922BA649B164996993D74357ACCD9D3DB5E1DE3DA43B748F84C52161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:23.871{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FD886A81F06B112864158CDE61E19D,SHA256=E2AD8A077CFF66F1B22E8053CB17555B1B84DEE27407BA44AB6D47A3646B1182,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:21.678{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:23.310{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:23.295{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEF77C2FCA56A79B81E02DF914BED15,SHA256=D1966EE8DC1282432F409F1FA58B44325FBF01894CCF7132CA4E7CAABEBDE25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:24.886{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C272D4B4A75047ECA95EF92A5AFBE2,SHA256=ECA5F9C8B0E696405EE3F97A85ED68182432A0EBC41500D3C47D3C0971574E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:24.295{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D288693A9070E444A229479CE5326A,SHA256=462C1D91E96A9947D96D5FAFAD416A953C44FB323328407CD5AE5955445F4C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:21.991{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58972-false10.0.1.12-8000- 13241300x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:37:24.683{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c425-0x48e9d73c) 23542300x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:25.933{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106C8C42FE8B573D22D2B22BB9547321,SHA256=78BBAA0E59B24E3FD2B58AB2285A34461A949B0E97C539CB583EECF409942F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:25.327{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CB97FD309447DC9E13E9BA0F4AA67E,SHA256=328D84C4124E381F5BD14A833F3D5DA427D61A81C8C68D5CEB362D5310DC2F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:26.952{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED22DB4A7D4F975EDB2E212884982B4,SHA256=6BF1D30DD3C0A22B5530894785DF45011F99CAF2E0FAA51707C3B0B686119F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:26.342{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAA947E5A708BE50902526277D7D9F6,SHA256=EA1AA25DDFB9FF67BE5639F490DF46C58881C4C951EFE0D3C066DEFFB65F57D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:27.967{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A911E080B5E24D89B36CC2BC1013ABC,SHA256=D0087FBBE893906596831C468F2352140A10A85835095D6BEE5579527920F36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:27.401{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96386C941E2B9EAE74F1B836DB667984,SHA256=8AA309D46F858BA37F57123A7CB7A63E8F67F82CAB715FC2679763A104B4A461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:28.447{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2B3D6DC01BC6BACB3EADCB9188D80E,SHA256=ECC9F099EFC14175C4BB1B2A63CFC6ACAE5C38176A88F378BFCD7F35487BC6A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:26.694{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:29.682{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722D1FE7620D906B17EE7E67A05AA28E,SHA256=D9A5883616DDAED1D6C452A27389294DE39BE8F240744966C3AE022266A696B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:28.998{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD3095D7CFF9EDE75BEB96C2D140C9,SHA256=7EF86F612621B8202C4E9B27837BA105320AA7BB2062FB9AFDE75A321F6C188F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:27.008{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58973-false10.0.1.12-8000- 23542300x800000000000000041043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:30.697{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB82CB4AEB2AE7F6566A1EED870D25E,SHA256=355631D9F46F034890C062A872EADA86D9FA5D279D32F8F75ABAC5B5636AD89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:30.030{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083D468F2F0AC5BF22C650CB2AD62D41,SHA256=43475EB4116DEB72DFEF8AF1A654B1722C7B45EDDC2A94A6D9B13DE5EB597471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:31.760{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44ADCC3CE69A7CDB7A02E0B141BB05F,SHA256=735AAAD9912E0B640EB5B06CFFA0C3B155E679734FDFC2585F1DD31AF9DB5C18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.592{6F8252D3-789B-616D-C506-000000000502}17481340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-789B-616D-C506-000000000502}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-789B-616D-C506-000000000502}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.420{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-789B-616D-C506-000000000502}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.421{6F8252D3-789B-616D-C506-000000000502}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.061{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCECC7BCC1FF2F35BD837E02C8F396B1,SHA256=FCCC9239DB8932F80C881E30BDCF66CB2BC813A3BD031918DF4D8FD8DAB94FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:32.994{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB058A83E405EF605664DD10F7C7FA70,SHA256=F7EDC8BAB290D3948EED3A0C027AD290A7A4C449B2D8BD6D6B9B7277BD3263F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-789C-616D-C706-000000000502}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-789C-616D-C706-000000000502}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.764{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-789C-616D-C706-000000000502}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.765{6F8252D3-789C-616D-C706-000000000502}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.436{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F5F6281B355F0018EBDA7BBFF4F2CA,SHA256=B4B74104E53965804E4C3142FEEE2C9CB2403B6DC9B2B07EF458FF455DD78542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.436{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5829AC21D140016CCDBEC5989A7E03B5,SHA256=5F496752AD8B6FBE15ACCCF8D915FA7D2CE868F0D03BF4FCD28420DB78C729ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8BB12D867F56BFC72399D48B62F8A2,SHA256=EB952E25BD8E6715024AD5ED182950453F5F54824F4CB31400E088CE162A52DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-789C-616D-C606-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-789C-616D-C606-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.092{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-789C-616D-C606-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:32.093{6F8252D3-789C-616D-C606-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.842{6F8252D3-789D-616D-C806-000000000502}14724036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.827{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F5F6281B355F0018EBDA7BBFF4F2CA,SHA256=B4B74104E53965804E4C3142FEEE2C9CB2403B6DC9B2B07EF458FF455DD78542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.608{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159D39C241F2C2F258139BA2D3F6DAD,SHA256=0E1293AB6278D9634ACA43AFC99FF3850C723C291528F5589337637D87C88294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-789D-616D-C806-000000000502}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-789D-616D-C806-000000000502}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-789D-616D-C806-000000000502}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:33.577{6F8252D3-789D-616D-C806-000000000502}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:31.930{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58974-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000041048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:31.930{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58974-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000041047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:33.072{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E856DB5E3789FD356E9C7A03FE985CA6,SHA256=BCF979EF826BFB8D06B748F2449B71B15F60F87CB64E7456DEB7DE2CB3B8FEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:33.072{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B942E16466AE8E6F6DCDA2C2B1C3BD7,SHA256=347FA5F9CFA3BA685CB99211A4AFC38AD20F46879B41C3DE50F9FDD175B65ABD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.936{6F8252D3-789E-616D-C906-000000000502}35961888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-789E-616D-C906-000000000502}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-789E-616D-C906-000000000502}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-789E-616D-C906-000000000502}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.780{6F8252D3-789E-616D-C906-000000000502}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:34.592{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019C752270F0BD0BF42B7B6E00EE3A1C,SHA256=83EDFDD9963B36BA6AFBA3A6C90A465F2CFFB0F4D0AFF9BDA9F7622E5AA3654A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:33.024{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58975-false10.0.1.12-8000- 23542300x800000000000000041050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:34.025{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF688C58FDA851B7398906B993E2AB,SHA256=B962F57F77C2EF771BB4E99E4575CA060C38C43320CF0AF2E5F985E40EC332B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:31.741{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.609{6F8252D3-789F-616D-CA06-000000000502}40242656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:35.041{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13DE483C817F26744F8AE336133B1ED,SHA256=D1A45BB99374FC54AAC9CE1B4B94D4BF23517D06160EE586E503A20CB5BCCA9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-789F-616D-CA06-000000000502}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-789F-616D-CA06-000000000502}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.451{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-789F-616D-CA06-000000000502}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:35.452{6F8252D3-789F-616D-CA06-000000000502}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.623{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738FCB616624D865359FED47B89F7130,SHA256=7C72A1B2ED6DC140C625E883ACE3472FB5C6939EA4137C539356AF2CB3B819DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:36.072{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45C3D925235D0A4B6DF222BDC883A19,SHA256=4E3D6DCEDF612232A0FF38FE2F102A20D9D75AD38416CF50E419A4AED10349A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD22B746F9F716430CA714EB73C9716,SHA256=273DA45DB173C76FA8CAC923253EE3EB00CEFC96F30FC216A5019928CFE0BE2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78A0-616D-CB06-000000000502}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992A45D71994B7D832C8A430A674F985,SHA256=386B0EF2035547EBDD3A28761EEE9E0BA76909A95B05D11153D5FAE67FC5705E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-78A0-616D-CB06-000000000502}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.123{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78A0-616D-CB06-000000000502}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:36.124{6F8252D3-78A0-616D-CB06-000000000502}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:37.639{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D091E06CDA3BB723A88912BD376930EA,SHA256=1D044D89EDED85CD5442A9378C97DDCD03A34F28510D8E9EA4EC4C6CDF264AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:37.182{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC067B6551B9A4461372A207630B6BBD,SHA256=A9C8B03B722B05BA0EAFB7FB73DA96074D1267DC96F578E95C303C3F755C785E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:37.233{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B359B8B2EFB2E9D7616FCD75FA8A84,SHA256=5D6A4988493D684F772BDAAB0FAE66628522CBA51568210CADCF9ABC44F9F63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:38.655{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643E871516C1ACFF2BAD62826D7B58B4,SHA256=C21807452FD0259630D3CEE41CAE0A95291B0BBC959322C254FDF46F61F0FB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:38.213{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E855A5028ABD978AD9A6C7D1B4E07499,SHA256=ED6FF289B7458780C4F301608F7F545F347C593AF373F34D9337FA0C84D8334C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:39.670{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2F488275F9E9A287BA9D7DFC586B5C,SHA256=FA2DA1B4A4BE81A331F64671A13C748904ACAAF0A336BD35C2DFF4A573DA75D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:39.291{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9782FB092A5E1F81ABD00BED5A0A58B,SHA256=BED7B8FFBCC9C68CFE6C20D803FD991B219043C28AD9DEF4F020E9BE15A0F1D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:37.709{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:40.686{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3138F25E46988202FFF811ECEBE03117,SHA256=44664C154D96DC667F098DDE45B778C747805E5C31C1AFC0ACF13F1222F26338,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:38.977{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58976-false10.0.1.12-8000- 23542300x800000000000000041057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:40.322{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C1B762B68E724AC399F0EC9369D8BB,SHA256=6557335FB7CBCC2D2B5DDABC6C8712B1CE23E61CDBE25C0EA13A233AE0706961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:41.701{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7866008831DB74803BD3CED04B12C1FD,SHA256=000B89AA3A122A5B97C40A6C857AD1970D8E374F6395662E644D82AD44D4348B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:41.338{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A9BC57A2E3AD196F59EB0D935FF5C9,SHA256=A55867C0B2779B583C4FEA03E66017840D0FCFEF95BDA85C483B96157E08C0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:42.717{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3B0DDA9FBEB2A2CFD1F2876308ADC4,SHA256=6CB977FC0784D66F717B969167E1D7412800E3060A7820945966CD742CD2FB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:42.510{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8A769FC19D8EC20F1667BD009C8E47,SHA256=C11D36CB81E37A3D82EF484C9E28A278ADDA7A8BC9408A146BA3FC85FAE60F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:43.719{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1F390A46A5A52ED8C92C276F261F10,SHA256=D21118AC4E62B95674A33CACE7DBB3ED96C73CFEC7659D83B6533805AE8714C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:43.525{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAC1868C96E9F7DB6966228A26B2187,SHA256=7D97ABE26B7E6520EFA28DE7723D09002648DA787B7C95920D6965B260A344E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:44.572{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE11659E115C73B83A0A953E2C9EE400,SHA256=2F98EBF833B430C57D85BB1661D295AB77D753EA67FD8CFA10BCE31C96729B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:44.725{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11DF52E1B05422C35F31847EF59C970,SHA256=D31E77E0BC424A4F661935745EAAEFBA2722205E800647A8912A5CBEBFDFAF98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:42.819{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:44.019{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-111MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:44.525{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3799F3DD1AA78FF3AEDE01B910D54866,SHA256=094682E9BD73BCE69798CCBF22E02EDFDE21225DB3CEFADC1C5DF6FA877E0147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:44.525{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E856DB5E3789FD356E9C7A03FE985CA6,SHA256=BCF979EF826BFB8D06B748F2449B71B15F60F87CB64E7456DEB7DE2CB3B8FEB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:44.118{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58977-false10.0.1.12-8000- 23542300x800000000000000041065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:45.588{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1B442DFD7E694C84874C7AC54E0F73,SHA256=44D09C1511EA63C7F78B850526A0363E51CA3FF106E57A748135E37EC96604A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:45.740{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E15B07AF15AE0A93AA92583CAF56B7,SHA256=EC028DDC3705BEFAFAFE61BCD1F7BD01C3E5A439532EC5D8764D2F10C9E85768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:45.023{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:46.760{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5189B27A5E6C507706874A51DDF7B36B,SHA256=6E81ADD16FA310B9AEBB731E151C35EB299C60B85BBB3A2DA2527960E91756EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:46.772{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375042FAE0040DF63E181A376BCAF995,SHA256=B86A37DDB29584176A417DC7D84AF7FABEA6A469D43409D0380EA12663D80A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:47.769{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18048E23AB3E53AB1FA4377B35DCE05E,SHA256=A48C3F73AE6A7754D530C970AFCFE818762E2A7AA2AB6E573A34FE9B009C3023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:47.804{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1643DE72D4808EF9C21B22E61982D38,SHA256=003FCFE3FE7AFA542B423FB04ECAFC4F29F6ED276F60AA73F3D63A129488D82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:48.820{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B8AB7130A4BAEB59A3A6FF6F4E4A2C,SHA256=90011D566E6FECA9C2C400B62D1113B166D698D5378023764DD323F4ECAC91B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:48.785{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1020774EB25F3E8AAE0E0917F6B049,SHA256=B9C538F46A15069878A5FC91D90995F5DEE1D6AE30D3F744937751C9204E39DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:49.801{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FEAA7CC73C11142C6D776234ED13B7,SHA256=43BDB46EE581224E42A431E89A46854C93A8BC49F8B6E98577361B33EEC5550A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:49.835{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1F32630EDF9ECFF055172E7B488A6E,SHA256=9E5E444292817A0809F46564213FE34BA91FA927815F46FA1903071058864192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:50.863{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8A0615912E3B15F1B248EAFDACBC6D,SHA256=A0F9DD0FB8B1105609C23CBD912D1C326500A664186093E717448D188C5F9E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:50.867{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C950D1FBA4AE5E6057900E55CFA2AB8,SHA256=35359D6AC513B6C8424A19664AD95D86AFB77F5B3227B8E7E7E324C5B7C5A95A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:48.781{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:51.879{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CBB78DFD52F0ECDD33AF4D2D780EBA,SHA256=B46AB4C56AE41A468E77806F00504C03359BAF317562776CF285F296B691D1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:51.913{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA74C68972A3BB0D0BE5A26779E50F5,SHA256=5C21E0F61F0770F05B1AECF971C83172CDA873755B9EC1A234E68D851E483278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:51.820{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=354D883742E9C2F9FB7F686076EEFE84,SHA256=FEF3F8453D743AC896CAD2A10A52E8F8081D0B19D71B0633A5DFC7B0B4258145,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:50.127{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58978-false10.0.1.12-8000- 23542300x800000000000000041074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:53.113{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD25082D2C010D288B93AF0E242CB07F,SHA256=0821DA6E174146341DF4C46C996316F513689F88176176A4DD0BCD8D2B99E7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:53.023{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8F4A51ABC930C4A978B0706B38138E,SHA256=6A85770EF517C76ADC973AEB92171E7600EE20DDF5CE24E7F368E38E0DFAE21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56ADF37FECBB99036C3DA0288A27C09A,SHA256=E9B01837FAE85E6DA956F8E3AB6872EDE1492C8D6B708AE57AF6EEDDE6621369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:54.038{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635E160A6F9F46899564D88802855A22,SHA256=C898C47B7D9796C35AC500CEC040D6D86285E57DCDF4FD7DB8485226448C75B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:55.176{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1756AFB2283CE3B3401892C53A8E8AE7,SHA256=662B8F6AC866E1BFD09BB632FDEEEB814EB6C0B282AEB5E1E1655DF2E8E5E169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:55.040{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA18254A992A08E8A05F2820EB3C4FE3,SHA256=DC832A6B9D00E631FE937B5198E849CF2C37C55ADB41F5EF29C1E813B5EFFCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:56.191{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED0ED14ECAC329632204F0C1233BB05,SHA256=86A57A9004703C37F30C239D1376FAAE66898DFAA9CE4E86F39410FA0429D322,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:54.766{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:56.087{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3DC78BF65F5C69A21DE6F3274C295D,SHA256=1149C189E6FBBAD06106678591D0CCCCABFAB6B7C54C8BD3A6C6CB07B98E4C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:57.426{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921FA0BF31268D094F04129E47C5FF97,SHA256=9DA0F9097C3B3BB7E65FA4EC0AC6D7A15BB215520B6A797DEBBEDF5E60AD2AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:57.102{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBCC5911A35AB58493EE00332730C0,SHA256=02C99651496C0DB021768C2F9D02142C8C343C94B8437F6B9C385469A9235E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:58.644{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50635537F3BEBD159C9069767B720CA,SHA256=FC14AF5F2399493CCD18F4051843F62D4FFC584C925193DB2CDF892A192C20C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:58.118{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AAD2276807A05C31473E92AC9BD19E,SHA256=F867009945A78466EE8466532020634F6D0ADF8F06F318257F95C3C70A79C344,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:56.034{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58979-false10.0.1.12-8000- 23542300x800000000000000041081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:37:59.722{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10D1C8DA5834993FC563DE7673AB107,SHA256=6AA5AF58A6FBEE5B8E213A6B3FFF2DF3A6FD23D26D9D290A987C2D560749CB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:37:59.133{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD8349A3AC33CEB900CFC64CD07692C,SHA256=82676FF61A29E4001B7CF6933F09B2FA74CFA42672C3064BB0382627BC545CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:00.738{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BE92A7FB51813F0CDD16059F73C9EE,SHA256=AB14DB04B87865390F06F422564A7B5E00DD1CA81BEC9B9DFA56656297CB53F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:00.149{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA76CC9F924BEFC100E4B8A95F01D8FC,SHA256=A51A685E99D1ACAB047F125202887AD9DA565B39DC4216A8A295C07247505AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:01.754{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE55E15FAAB345007F7B810922F6BA0,SHA256=75789CE47E5BF74726CACEACEC948E8F280CE86ADB9060C5F2551A006D0D8BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:01.165{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2142358435205A5BD689B9E77AD62E67,SHA256=BBF74E870519BD56BAA2975C0F805797C1187775E63E1526C4315565837335E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:02.769{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261F73B969B550B4497C3BD211E9E359,SHA256=4FDE9990F1137B1612CC845929BFD3B204B82B8CA0B7CB158C296D40C3A176F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:00.766{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:02.180{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C36BC8C75D414C092F5ECAF1B9C56BA,SHA256=93BDA7EC8CA77D12C40D37F1157989AFA4F7CDB09FF937C096711395FA548C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:02.691{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B3B29A93B652985F6A49E752AD6038EC,SHA256=314497AA23F98C49E55F3FD5F952DC58AC97276387F5D59781EEA9B5F74428D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:03.785{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB6E7CB06A0037C7ECC0151C13B17E5,SHA256=C452DB3292051B3FFCE0666BEABA257E97476F22223885CBEAA274AC2C6F4E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:03.196{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4722250CF8DEB7ECF91880BA7C4DFB00,SHA256=E72F8F05E01D4683F871EC1E86FAEB156EC50267ED0BADC653EA26078DD54C7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:02.033{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58980-false10.0.1.12-8000- 23542300x800000000000000041088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:04.801{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8345CFB0685808B7FA5C791AC622FFB,SHA256=22D64AF8112FD21C80B11245BC1931670F8DB183CCE7207F09A17CF06591B504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:04.211{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC2511559D9031F56AE77D353F1E898,SHA256=2E7B301EFF3154762B3221C68174294D6A35E55FE1CDB1B996713B9835F1625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:05.816{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A8513A3142389F03B8F8020E4F8364,SHA256=98215EAFB1CD84E5E6A9C451FD95D1B43CE5DC6610E2D760444FEB17CC17F94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:05.227{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E6D409196A09CAE20F3FFBE6A025F3,SHA256=2E89E257C95E232B2E3F10F2BFD671C26D84E7528D3808F5C70F9DE44CDB00A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.832{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1B35B8CBCBA88B8B84A503C07D5E55,SHA256=973C29048EA957706F71F4C96CAE78C25EFABB2C26F194E2CE24E82734C0F8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:06.243{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C011535A9F02F86A6A184D927958CEF,SHA256=D5C41CC3EC333F4EEB3506808C1947829A716EAFC955179B3D748E50860FA2CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.519{8D4DD44E-78BE-616D-0609-000000000402}30404876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78BE-616D-0609-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-78BE-616D-0609-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.332{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78BE-616D-0609-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:06.333{8D4DD44E-78BE-616D-0609-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:07.245{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CB651A889CC9838CB1862340316CFB,SHA256=9DAECBB7F452CB54DB87844C71AD570F1072CDE00B6CA4FA0217ED2FAE2FE96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.710{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78BF-616D-0809-000000000402}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-78BF-616D-0809-000000000402}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.679{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78BF-616D-0809-000000000402}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.680{8D4DD44E-78BF-616D-0809-000000000402}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.351{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D119CB679C21FFADAD6806EE094146FF,SHA256=F0E494D14229075E2E7B67A4202EA4763D8F8B4FA1ECDC9C2C310CAEAA516ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.351{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3799F3DD1AA78FF3AEDE01B910D54866,SHA256=094682E9BD73BCE69798CCBF22E02EDFDE21225DB3CEFADC1C5DF6FA877E0147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78BF-616D-0709-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-78BF-616D-0709-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.007{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78BF-616D-0709-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.008{8D4DD44E-78BF-616D-0709-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:08.339{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:08.261{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B17060BBC6B290CEDD67892BF4B16F,SHA256=A3B525BB15136BBCB1A85B34AE25ED76E9A32C5E26D6E54907020FA622651AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.695{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D119CB679C21FFADAD6806EE094146FF,SHA256=F0E494D14229075E2E7B67A4202EA4763D8F8B4FA1ECDC9C2C310CAEAA516ED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.632{8D4DD44E-78C0-616D-0909-000000000402}20364204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78C0-616D-0909-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-78C0-616D-0909-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.460{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78C0-616D-0909-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.461{8D4DD44E-78C0-616D-0909-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:08.054{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5F75E9E2FA1FACF60E5BCD8AE0C363,SHA256=440D1079BD5846721AE043EC847F339BFFB67C83B75DE3A7B96EE10F28638366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:09.277{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369A3A01629650D62D47A71A0E98974,SHA256=AC05E389CA764D4ED142C586D25962AA22C0044D06995C779082ABBCBDBDA880,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.601{8D4DD44E-78C1-616D-0A09-000000000402}45202756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000041164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.553{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58981-false10.0.1.12-8089- 10341000x800000000000000041163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78C1-616D-0A09-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78C1-616D-0A09-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.429{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78C1-616D-0A09-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.430{8D4DD44E-78C1-616D-0A09-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:09.085{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2367F16612D8D33E247CB80ABCFA0338,SHA256=065597D8230E009F8D8A4335FE7FD3A2E61A21C12D192F10FC63AB6817418BE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:06.737{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:07.878{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:10.292{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25288B8EE8BC208C90B146B13006169,SHA256=8B469A1E7E4854AD8803BF89ABDD9D0CDBEBF029FE69A1342932D5096B8B33C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:07.912{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58982-false10.0.1.12-8000- 23542300x800000000000000041181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.445{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=646347BF78BD86D3A057416F498E3DCF,SHA256=4134F7C27DCDAAD7698B79CBD8EA394C96C5E7FE42863578AE873623CE1EF182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.398{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE36FB5F807953D82CC4BFE78DAD8714,SHA256=A6229F9DDB223948FC9ADA2422530BFB72CD46D7166EAB65952C3FB956F9A22C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.273{8D4DD44E-78C2-616D-0B09-000000000402}49204032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78C2-616D-0B09-000000000402}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78C2-616D-0B09-000000000402}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78C2-616D-0B09-000000000402}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:10.101{8D4DD44E-78C2-616D-0B09-000000000402}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78C3-616D-0C09-000000000402}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-78C3-616D-0C09-000000000402}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78C3-616D-0C09-000000000402}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.976{8D4DD44E-78C3-616D-0C09-000000000402}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:11.320{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E592718EE92A32F8FC0FF1AF3CF812,SHA256=84A021CAE7EF7A7475D614CFA12C0E38D5461DD1B3A81D9B2D7195F33D2B11F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:11.292{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBE3881BC543159615BD9246DC934F4,SHA256=B34A6169C8478B2D6B5F6AE509D2DFC6F680305500670ACF8887EFF40D0D5990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:12.991{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D3D6E9980C06D1C18C9CFF4AAA03EFE,SHA256=61A519DF6C226F5110F94495A10BF7F1CA66924D05B9A396FF8BAFFBD0633D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:12.366{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC217ED82904EA6850AF161700A73D2,SHA256=4130121C83790CE44DC1736039903144103C85D5F40DE30C51CE33090DD0FF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:12.308{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8725FF9D4C3802496A7370094614B1,SHA256=A0B5E1E75425E4DDA5E2EBE8C8D0DE1531B5BE236F2A5FCADCE730B4E1AB6884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:13.382{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0C4A96E31311E59ACD35116EC30795,SHA256=F57006F69C92505340003C4CC97CAB1F860AA1A3F470EED645004A0DAF5BA4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:13.323{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF29901EEE7E1DC38E667B42D3D49D8,SHA256=02EDCDEB3B1BBEECDEF48F37D44B4D3FDE2D8D9249841EF2D63F0258C3A73491,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:38:14.558{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c425-0x66a41745) 354300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:11.800{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:14.339{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443D1D5820AD0EB23D90863AC1377F5,SHA256=5449F4720B1D451DEE3840C10373E8CB69820CFB50F31337757FFB656B674A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:13.099{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58983-false10.0.1.12-8000- 23542300x800000000000000041200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:14.413{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9783794EFE99767DFF58C0E9CC25F845,SHA256=3E940F200C7D69305E8425EB363EC1E582D86954788C509B5AB7420ECEB4A1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:15.444{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54A2E81B6D3EC1227AFB02EC4C46EF3,SHA256=69EACC30270DE4BB70289A4AAF4858FC40320FF58BDBE708599A4D3B983860CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:15.355{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AE755605EEFCEFB13D0CFD0A2EEF3,SHA256=821A76882A8D50C85A2D00A4D814D60D9FF4BFE1753F58116E03B1EDAFDAC77F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:14.411{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-185.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000041203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:16.476{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1365928F1D10A08664D05EE2E28561E,SHA256=24A93641317F9D2CFDFA051AE9E9F968BBB9E450433AB5DFBD8174FD3D7BEAED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:14.095{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-470.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:14.095{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-470.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:16.370{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FA8344C07728A4169114A685951FC1,SHA256=4C2DEDADB2FCA55747E8A4E77A1647FC65D645B30069B3FDAA0FC84830885B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:17.523{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C999063C6C8D3F6DCFDA209F39BE5C58,SHA256=3335345F883B5B6BE6A65960BB3B1ED35752D4C7A5729A84D4257173405A69B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:17.401{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43F11F3F70A1839896CFF2A6A37B0F,SHA256=2F6CF8B53F3E5C5866B27EA0775B2AC3E741EB7A0EF4EFD630097E24C23B99FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:18.464{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9226DB7A32531742BD6FE0F5C78E5,SHA256=BBDB55497C51B37218F49FC360342DED3B0929B7EFBFE4B693195552666678A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:18.538{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6956531C24EC26D203BCD7C728169CC7,SHA256=6A494E4032DA5689F0A8D330D0A7FFAB63F70B3150DA501381E737D5BEED6949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:19.480{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95056AE2093C5FD108F1A3EF9FAC151F,SHA256=C702220372D057121D2FDFCD965DA76429DB2FCA864651F76F4C56F406BA47C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:19.694{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7F326D096756E59C58E94A1F93A6E7,SHA256=BD8157155E0FAA37EC70871E9DE09D3010C0BC04B01DF28209DFF448E1E5B456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:20.726{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50701A2EA2B7A04665A48747CAA34764,SHA256=1EF681A49A95788F8F9E48F8CC96A38FDB665013D19D0EF94DCF9D5FD4A3D79A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:17.784{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:20.495{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8550BCE61D8E284E023D72D15203CF6B,SHA256=B515921551502D6FC9D5372118649B1FDBC0472DC8C08F9CA80CC847107A9EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:19.068{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58984-false10.0.1.12-8000- 23542300x800000000000000041210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:21.757{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6A40873FA343B34F376047740304CD,SHA256=0E69DF73AA246269D8C203E1023EE7945EB9D26734FACA6F4CE335B422ECB4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:21.495{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E450FB13768534CF8F053076A895B01,SHA256=ACE9A365B98E49CA27C6900AA3D94BC6741D633AFB75FFFEA3536F13C74593A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:22.527{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DEBE64AD80B4F86F2C601BC23C2AA0,SHA256=7A8A7CA8F1D600D97581AC25F942AADE802C56EE3952DE39FB6317CA31869EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:22.773{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373F7611F3E1AD4A0E880B6ED6E43AAA,SHA256=F73229142CC78A15C1E96DC3CB8D9DD3E8872D439ACF9C6496A795E0C2DBD13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:23.558{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315D604FCEDA283A6D821B217382CB0,SHA256=E1E6F054B96103B9141F335C840E80D6EEA029833FEDA857121D40C25CFA0BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:23.838{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-120MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:23.805{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7556D170D3D3F4B0DA4746E76218E073,SHA256=C6B8DC326322236199B0AAD55B963CCA70A884DF9661F04FD505A0B2211E133E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:24.573{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823EB6B8858B8FB894DDFA1F92A974A1,SHA256=CC01FB3A5663733F2AB44CD22EEBD50E5C9226182B62F41CF5FA4141D59E7F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:24.856{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3142572D74CA6CA48642A3D7A99F5C3F,SHA256=39C3CCA1B06BA710CB88A3B709BD107C63468A891BCB6AAB8209F2C45781E0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:24.853{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:25.605{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60AF2D9B6B09D524D9DD632EDF8D54A,SHA256=760DDFF0551D9833A68DEBCB6176E52B4BB2C2FFF4F287FC2789A19FD3BA30D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:24.084{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58985-false10.0.1.12-8000- 23542300x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:26.636{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8664C5D495C43655AE8FE8C013D595,SHA256=119B69350719DCDA7861B1285238032FBB44B6FC4840C8E2035A329D107C3EB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:23.721{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:26.041{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E156092DBD63E61681EF2B632AF504E,SHA256=6D8F146C8091CE29BD354E797A18EBB8F4CF7ED150EE55FEA50AAF3E591D9C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:27.655{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4477F4DC0CD4633A4307402DBD3A76D9,SHA256=2307A6E580AE4C5AA1FAE9F075E7296FEA8607283461C59E80259A1164CFA2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:27.042{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BD3128713B4FE6ECC0C232F5BF8FEA,SHA256=BC6EC9B2438730C1C6DFEE192A7D1D547588F5C822E7EFD87E10B080624E48E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:28.655{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E085CB8A9695557C56753D39AA3E0B,SHA256=5538398EBE78B7ED8983D8FA545935DF0C5FF916FE1BE2A0CFD3D9F545720BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:28.058{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEF1AE06FB8DD753B7AAAA57D329EA6,SHA256=4BA094C8BBD5FECC44560A45C777E8608673AF3FA3F56461CF998CCF0BE7F2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:29.687{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827F622826D223D5F5245784254B8EC3,SHA256=C5135EAEA37AF22D82432C24B807FEBD261077CC5C27FACA11ECB99AC360EB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:29.073{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7DF834882712C6F9C92B24924DA720,SHA256=68C8AC62563EF3F84C69E22C7B2992D4967E6897CB0DA5249D1A9CC5A83950D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:30.702{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB81619EFE6512CD705660FDF677BA47,SHA256=E00859526A55FCB7382D5514382B7256D7BB4370860E2A4B7EF8EA1D08D7D611,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:28.011{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56219- 354300x800000000000000041222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:28.011{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local63251- 23542300x800000000000000041221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:30.089{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402FF2B56DE6A34A8CB9C196A9F28DBD,SHA256=CB2562A168298590E7C9597F9E30520428A4F5532D38BC1077C249E58B287CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78D7-616D-CD06-000000000502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-78D7-616D-CD06-000000000502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.937{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78D7-616D-CD06-000000000502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.938{6F8252D3-78D7-616D-CD06-000000000502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:28.772{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.718{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5D8A35A597BBD4876F0B77988EFD04,SHA256=6C8A6752C4C8108C1C79AED6B596A0446383C96B3563E228BFFBAAAB1A8345C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:29.103{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58986-false10.0.1.12-8000- 23542300x800000000000000041224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:31.105{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AA4E4CBA944C866BD73424F8DC8EA8,SHA256=366358592CA88C7E7E88C197D079CC9730961886AB3AE5CF86751C01F48BFCFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78D7-616D-CC06-000000000502}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-78D7-616D-CC06-000000000502}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78D7-616D-CC06-000000000502}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:31.437{6F8252D3-78D7-616D-CC06-000000000502}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.859{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA71C7F9C8951278A19074B34EFD8C9,SHA256=3A359E9C7F7977D02F16F58BD9818BFAC01FE9A41ABB346DF6D8335E75F31CB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.765{6F8252D3-78D8-616D-CE06-000000000502}38081000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:32.120{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02917B5ED0B85891931BE24131E04AC4,SHA256=C73DDC0B5FCA9FD03028AD7C450F8CE7D3486308FDDF399B839A13299A9913B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78D8-616D-CE06-000000000502}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-78D8-616D-CE06-000000000502}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.562{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78D8-616D-CE06-000000000502}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.563{6F8252D3-78D8-616D-CE06-000000000502}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.452{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5645BDD418F7094E4F0C2BBBD552924B,SHA256=62E5ABBEAF2F05E6C29B9AA71B04B1DB7AA6B74DD52BFD7BCEDB722AD36081D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:32.452{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E3BE5725AF81356EAFA08691E2EEEDA,SHA256=9E21609F7F505638FBC7AC97A1A2927E270DF688B4389CACD2AD8F29C44CDA7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.796{6F8252D3-78D9-616D-CF06-000000000502}2680868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.780{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C22C0B6236EF40D84F82EDA19486ABB,SHA256=E4F42AAE189D8AE6B53572BD0E0D348A65607E3C3D6D6E3DF3970668D88838F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:33.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BB2D7EDC1F9B60EAB74000733B7477D,SHA256=38272C82455526F3FD50C31D9F9AAC01366BA4473CB8AE6C0311364872A05766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:33.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=309AD091821DC65958BDBAA5B4FDF732,SHA256=38579CFEB891F4602569ABE19EF1B04EB1D7DF2B7796FE6ED5CA08AD3C2FCB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:33.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8BEC5BE31C6AA161A3A68249CAAC15,SHA256=38BC29964752E98BC88353760354D5F99A4585EAD5C6644FBE130B2D9E00C05D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78D9-616D-CF06-000000000502}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5645BDD418F7094E4F0C2BBBD552924B,SHA256=62E5ABBEAF2F05E6C29B9AA71B04B1DB7AA6B74DD52BFD7BCEDB722AD36081D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-78D9-616D-CF06-000000000502}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.577{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78D9-616D-CF06-000000000502}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:33.578{6F8252D3-78D9-616D-CF06-000000000502}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.796{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081DE746113E4B5689A719A8C321BF05,SHA256=45EC1498C14F72F3C28A4905EC4E33DD1001BB9F76D89AE098231E81EFB1C549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:34.151{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9529A8D76D777959985A25CE7A63A36,SHA256=028D4F165D5BC77B5BC81141F566DD72FE72BFB23FA6B5CE8B923870CC31F8C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78DA-616D-D006-000000000502}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-78DA-616D-D006-000000000502}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.702{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78DA-616D-D006-000000000502}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.703{6F8252D3-78DA-616D-D006-000000000502}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.593{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FB8C7DE91A84829CAF062DEAB0F751,SHA256=C79D784C5B27A4305CF67A6AA8D62DDF7174EDD2BD453BC7822FF4CF62FFD7CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:31.947{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58987-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000041230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:31.947{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58987-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.968{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E7715F61D61984F0FD70A85EFE29ED,SHA256=E9AB2DCFDC7E4E468C5A69F20B4AE030C11927ED6F064599149645B3525570DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.905{6F8252D3-78DB-616D-D206-000000000502}26921876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:35.167{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631CB3F85AD609B7EA5A0A707127C10B,SHA256=7DD109A7AA3307708974615C46612468A632F708270FC12A7EC43FFDB2BC87BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.718{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A78AAB0556E01A9550483122CCD2732F,SHA256=2D0FF66CFC05B2273649F2F16F931E7C6887BD9B54B527954A8066B32A4E14D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78DB-616D-D206-000000000502}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-78DB-616D-D206-000000000502}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.702{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78DB-616D-D206-000000000502}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.703{6F8252D3-78DB-616D-D206-000000000502}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.468{6F8252D3-78DB-616D-D106-000000000502}24042240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-78DB-616D-D106-000000000502}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-78DB-616D-D106-000000000502}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.202{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-78DB-616D-D106-000000000502}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:35.203{6F8252D3-78DB-616D-D106-000000000502}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:36.937{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB9E385D86924FDFBF4E6632561A55B,SHA256=9E285D7AAC0E180359A9791321E67DF332C9DFA04491A087FDC6BE1C680729CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:36.167{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B635AFFC07DE8B3591EA81895A999A7B,SHA256=8F0AED65DFEBEE61769254A13B9FEBDF5DA470F0ACA848822F8E70AFBCF55152,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:34.884{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58988-false10.0.1.12-8000- 23542300x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:37.937{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF404BA4F01B456B295308657E15DAD,SHA256=C284BBE3A0301544940334DA260E94AC6652E84F4FA0E652FB6C68E9BF0DA423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:37.183{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518630AB172EE332EEDF4439BF07E491,SHA256=1BA9C65E5977EDBAD5F23CED74A1F120F88F78B9C8A442A06B1918D026134297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:38.968{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE420395BD3F6963A86A866299C68F49,SHA256=1FB8A6904E67026AAB683E777745F478C9C63DDA6598507F3C79FFBA329B306B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:34.631{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:38.198{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC423EA22CF45A916A24EC4CA9DA84C,SHA256=37F74782CE4D2C1A42DC31950E37B83E11305BB1DF37610517C6B9AFBC25895C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:39.984{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D2749ED74F823D8638D73BDBC20DAD,SHA256=15059E5AFB88AC21D2FC5D5A24C68DF1F10FBEB4A97682CD6772B61045B7959B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:39.214{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3F5F9166029C18B6C650AB00C180A9,SHA256=C711FD2BB9E88FB324C3EA4BEB1593E01B62D4D11E83C9412936B97CBC3208B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:40.230{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD6940A6CA424247F0CFEE40186444C,SHA256=6CA49335E7406F4FC6DE74E05FF8B0719FD5B22102A46E25B75CB82CB18FD10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:39.916{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58989-false10.0.1.12-8000- 23542300x800000000000000041240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:41.245{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1416CA26227667CEBD48600AB7BB427,SHA256=94FE0292783EE13DFB755ED22EF36FEC5EA425AE8E76EAA364279FDEE896622E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:41.015{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9E4C5F860A66FA18A8E3AFA3BF3109,SHA256=53CB3D832783274A01109B83D290006726DF1D3FFB38950CFDE7243EE77C5981,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:39.678{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:42.046{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C600713FCB1CD3EAAD5033A5C000663,SHA256=C813FFEDB57F07E4D771FA55D8F3587C1D0D98DC6C5F3430FB29D79FA77CA810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:42.261{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4A1A0289FA19F3C677693F9EAEF6CD,SHA256=22668C9797A709B551D6361E4E5EED104E0973DB297806D262198B28ACE84C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:43.124{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7405DFF4C7787C3E4EBB368F7917C6,SHA256=ED3E54F90E801DF9B806615F32C20EC5112DC0116BEAD771D75D056E33E0E2CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:41.542{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58990-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000041244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:41.542{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58990-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x800000000000000041243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:43.276{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA77F9EC354D15E00C5B3812B9FD15D,SHA256=AED0522C3B85CF3B307CB22D7D0BBB537DF69F329B7AF7097F8BC227D7136E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:44.292{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37187BDE43548F6F0F0FBAA288843512,SHA256=B29BC5DA62EE229BAF245028A6B8D0BD991AD4B6E408108CE5B1A38249E1C7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:44.140{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025153914076F5131803AFB95958F9D9,SHA256=8CF033814E72A3152646A03C730AB629EF027034420B3E4D66CBE554D157B018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:45.292{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1A5F7B0C7BF929E7A1C2745ADDA46D,SHA256=663DA73B0D37231D456C2A6BCA0A65940549DC8968501D9315D6E5B5F3B9F9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:45.548{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-112MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:45.171{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03CAB70A61CCADC07901580B1969E5F,SHA256=AA5DE4BD48BCC010CE34669A3D4B06983815155BFBCEC8CC2136A19562C4CC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:46.563{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:44.804{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:46.172{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D24C06E783BBDAC42EB277DE266A58,SHA256=97D8F540695BEB809D9D990F37669E3D1815FECCEF80B275EB011252C92FFA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:46.308{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127BCBF28B4AF8BC86F54FF45B5F2D29,SHA256=0A92A8250087030F06B10E13A3C7D6311E5327A92597464429C95A3BE7C617EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:47.189{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C5E443710EFFE158DD1088A1AFE346,SHA256=F135DFFABFE543551C664D6035637AD7CCE7C1D2A391E766ADF5DE2003CBC03E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:45.931{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58991-false10.0.1.12-8000- 23542300x800000000000000041249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:47.323{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F41281703EFB5ABCEC3589656D08ED6,SHA256=E5D11266F3AFFBC3BE89D624EFB9CDA29D60E82280E9445523D7CEBBE7BBE33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:48.251{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E1D54EC8FE3686FA620C44CEE21D27,SHA256=88BD382E0C7F4B91E662E5326486EEA7229EF85AC04A693E2B9C48D4D1F3BBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:48.432{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACEBBFEECF64693AD7B59AA74422A81,SHA256=6B748CB41F30FD2D0E124A001C9BD075D80D992F80EF7776E0759DE3D0D551EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:49.667{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771ABCE43D052F42A23BBC34CF6B74B4,SHA256=9BA091F55693FF1BE31AB783B60B687A6F7CBDBB6478FBCE6054AA9C45CFD577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:49.298{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93A9174593DC41BFEFFECBB851E95EB,SHA256=1E98F853EE4A02947DE14D83E1FF933222D0B3BC33CB843B4E0615387F7725A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:50.682{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A50F12C8A06BC249436665DF6B41DC,SHA256=ACC3A9301366E66DD7F3F8ECEA9F07E73F583EE8E78AA8027B1E390A853F785F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029059Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:50.329{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409CE5943B40289E95EAF9DE054A5B5B,SHA256=DA0B88D4BD5EE1534A7DA7C8D904A58CC58D12EE9846A15FADED671B45105FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:51.698{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA735599870D7DCD809DEBF359452463,SHA256=14411F23D9C588303C3D85CE8C0D27AA7356D7DDC439574BCAD6A2C03B1A810F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029061Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:51.829{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EC8B731924606C4722D81FFB67F3B22F,SHA256=581958E8BA4120B1B7E268EB3C8CD7E374A20F79288F279B5B14F0568B08A578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029060Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:51.345{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558598FE174931CE01442B47079AE23B,SHA256=965E933555D7F3BDD826F1522E9038E6A3AE28F87DAC61E1EB185C7478AF10D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:52.948{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9498128A1636B0D3ED061938B71D77D4,SHA256=A9887018D224410AEBD33906147AE819D827274B89103CC2A94C1ECA3691C252,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029063Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:50.648{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029062Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:52.361{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4305F03B57A0F3EC0DB09DFB531D74DA,SHA256=C7733743672C29605F9C577C067C5C7EDC820C0AF2B59121404ED88E521BEB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:53.964{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DBE63981ED720F43C3127DD38C64A7,SHA256=69A086731FC7F20AFAA2B41EC0B3F09422308AD027BCB96C0FCD389C4A90B0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029064Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:53.376{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0527BC9D415FB3FBB13E847958233F62,SHA256=0FB8B9F732F6094DFDD629BEEDC7582E55D73B6A8C31FE445F29CEE60AEA3796,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:51.118{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58992-false10.0.1.12-8000- 23542300x800000000000000029065Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:54.376{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1877EAF362D21D326E61992F2543F5F1,SHA256=86F111761C6536013A19A23944CDD0DA731466DB34F024C2B0A6F93D88C48693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029066Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:55.392{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED56C93315885AC8885FBE70C3C37FB3,SHA256=3924464F8E1E91B1FBE2683FEC421B0985ADE5786EDFA14F3C41EA0D28040B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:55.042{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4093A89BA26EEFA20BFE84E72F7EC172,SHA256=BD268F1BD051F1BCF10560B220CFEBD95F40E618F8E24DC36536BDAFEAED502C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029067Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:56.439{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7AD7E95A3019F379D8E3E3ABDD995A,SHA256=1EA98D1FAC606BB96E732CCAAE962A3AC4DF2FCB02AA9AAB6251AC25229F17FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:56.073{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BDF407885AC13B5D8F5674A21B5139,SHA256=04939A8E11972610CC4B76ED50D98ABAF547A320706847A589A3C16B28C52DC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:55.663{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029068Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:57.454{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BAAC93FA829B1FEFBFC16320F5890F,SHA256=EA5982866D09401B1F64594737185682D09411D0ACA215067752461456435394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:57.104{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB5CCDFB9746D88EB70AFBA875EEBC7,SHA256=313F62DDB68D9FFD24496C52575819475C1384E6D1D2FD1FE5AE3AF5292D6203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:58.470{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2A1010A56E5278D599D54EE8E7A18A,SHA256=60C42624B121B94C3E5887D2E5AFFDF5A1C1B3CC7FE918C7053A9045FF631D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:58.167{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5381D0CD8246931124F2EF6F57353C,SHA256=9193293E565E133DEABF02685223ED13FEB8F448286A7560BAE9EF595179A6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:38:59.517{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312A7FEB276E8032870ED02C80A28371,SHA256=42827DD7984829E847A4A57BDB86132D387449DBEB50D0D62070E6CB92BA2DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:59.182{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FDF38149701A711F45B9F67E0A209D,SHA256=FC71C2EECF2F25FCACE65C2744302149E01F54C0963C701C7B71454D3E124A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:38:57.055{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58993-false10.0.1.12-8000- 23542300x800000000000000029072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:00.548{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CC8B221AD6745C975442940F878C24,SHA256=2C6E540E8C5A73827E03C0C743CF3734ECC9A0757C5FCB5B437FE4065A355C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:00.417{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A01094000E55CEE40DCCDB6F896725,SHA256=4F552D51F587EF41DDF97B848036EC48A122A71170485831F297A041D99DA040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:01.548{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75568C275831A7B4D0455F507151411A,SHA256=F8E52C2FFA76667B19A738B4524AB122B01EF67A008CBA504CEFB4C37C01D00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:01.448{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB6C1C3A4D67C947F94CE84747F852E,SHA256=3DA1EE21FA0D79DC87B87AE9C4E3138438F30CB0D1BCEBF99964263ADA693C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:02.698{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FAE943E7FB7F9D56A2C9EC22717F520A,SHA256=1BAC08F2D104591F7CBA62750DAD0B676A8D464BE7F2F90B6479CE6B9CEDAD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:02.510{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEBE17EF2D18535F68B4ABEECD92D83,SHA256=5184BD640ECD13D3D685C10AA790313BF6FAD5E204B214209C7A8903666F3002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:02.579{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009BAAF29BE0F77DCF4D635332C6F2AE,SHA256=5850FB17736257874412908623984648B6798084020A58E507101088CCE67F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:03.642{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE0DDB833A8DF29E2B924B2FC54675F,SHA256=BB8AD56275CCC1B211B9F27BAB5569B1437BDF26209929D5DF0CA49301040A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:03.526{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0282FCCF99B2BDEE3731A40EB8D40151,SHA256=8EACA8216210F03496ABCB222736351F183CC7ADA42CB287193841C60F9B0E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:04.673{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6ED34083D849555796EB6FA4E854C6,SHA256=354D6D007BE45B9F3FF91E3A9B001013E0DBD438FE85E06C84A75B2B343EC81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:04.573{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E346F172C12F0F0E26FDEF94C53E94,SHA256=10F9AA8B1ABDA2B5F519F12D9FDE1826D3F55E88268BBD654BDCE8994BA0744D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:01.695{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:05.704{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD882D132AFAD3CC2B8D549693816D2,SHA256=00976D18671CDFF527BD0F32EA48FBBBF95B80F549DA15C9C10E878082ABA12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:05.604{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B921BE0B3CB70DEFF80F151F0BD772A,SHA256=3DBFE471E23C27A4A9646AE6AB25700919CD9BC9A82427639A53A021CE0CAF3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:03.102{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58994-false10.0.1.12-8000- 23542300x800000000000000029079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:06.767{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7207B8C094EA43F82BEEE517D36EB5,SHA256=B811BAFFB0BF6676D06380430A01014C88004E0D5F905644BC466FD28BAAC093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78FA-616D-0E09-000000000402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78FA-616D-0E09-000000000402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.838{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78FA-616D-0E09-000000000402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.839{8D4DD44E-78FA-616D-0E09-000000000402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.651{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5F588F246F4F6EC1CB3FBABF3D9F17,SHA256=70BBA54071A5B1D3BB158338A5EB6D6730D71E6B5141E9927140D76CB243D883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78FA-616D-0D09-000000000402}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78FA-616D-0D09-000000000402}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.338{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78FA-616D-0D09-000000000402}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:06.339{8D4DD44E-78FA-616D-0D09-000000000402}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:07.816{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE2BD20D1296A74D032A214D1A7FEF,SHA256=F68A9C737AF6704295E5EB395E31E86498A543F7FF62894B0BEDACC628CB30CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.733{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.671{8D4DD44E-78FB-616D-0F09-000000000402}47004564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.671{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74617D90577D8EF02D9B3E7034AA4600,SHA256=8D80F5A15B57E4F3420EC375900507B9B5D5DD95BCCD64A3B634E0892B983DFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78FB-616D-0F09-000000000402}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78FB-616D-0F09-000000000402}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.499{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78FB-616D-0F09-000000000402}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.500{8D4DD44E-78FB-616D-0F09-000000000402}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.343{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEDBBA99BD84598384900A895A621172,SHA256=4CE19E4EB0FD42ADB777FE909E76139E9D86156F93050880AF0019887C315587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.343{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BB2D7EDC1F9B60EAB74000733B7477D,SHA256=38272C82455526F3FD50C31D9F9AAC01366BA4473CB8AE6C0311364872A05766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:08.831{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FC91DCC833E672E970485DD154446B,SHA256=04C092E0DEC08B2687ADDAEA820D92AEF138F2EFCCC753BD3DD99B638D66E335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.718{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B71F3090520A5084B1F4ECFBF71EC06,SHA256=6CD4201CECD367A6B428D5D358B80FBD988CC62E23446E2B6E6CD0CA143516F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:08.363{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.625{8D4DD44E-78FC-616D-1009-000000000402}4001060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.531{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEDBBA99BD84598384900A895A621172,SHA256=4CE19E4EB0FD42ADB777FE909E76139E9D86156F93050880AF0019887C315587,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78FC-616D-1009-000000000402}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78FC-616D-1009-000000000402}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.452{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78FC-616D-1009-000000000402}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:08.453{8D4DD44E-78FC-616D-1009-000000000402}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:09.910{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE42944F87046C2D32B76C0C41468BE1,SHA256=1B1FD9643B5BEFA5B0F40E0ACD76D1B23015A3E9BE9815BCE51BD2658D2FC1B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78FD-616D-1209-000000000402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78FD-616D-1209-000000000402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.952{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78FD-616D-1209-000000000402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.954{8D4DD44E-78FD-616D-1209-000000000402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.733{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA594A1E441A8138231D88CB38E26C0,SHA256=C65BE971B055B387DDAAB39850DAC1590A149DA09465637EABE76DFBF176FCE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.577{8D4DD44E-78FD-616D-1109-000000000402}3424388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000041346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:07.591{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58995-false10.0.1.12-8089- 10341000x800000000000000041345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78FD-616D-1109-000000000402}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-78FD-616D-1109-000000000402}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.421{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78FD-616D-1109-000000000402}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.422{8D4DD44E-78FD-616D-1109-000000000402}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:10.941{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA88907FC3D2F644FFCE714D6A063DF6,SHA256=FE91E9CE575E559067D7CA77D7DD848A29810FB113719D87919BCBAF554B12C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:10.765{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033A94F4F95E78D910E379349DCEA6D3,SHA256=EA9BBCDBA8CA64EDA9B08536CCD17C32E9E21C0355624C4FBB4619187658775F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:07.900{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000029084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:07.712{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000041364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:09.060{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58996-false10.0.1.12-8000- 23542300x800000000000000041363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:10.436{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768EC9B09B7566F45A8C2EBA94923710,SHA256=8AEF59B6C0E9295685E99A698B3A139BDCB31C425EB381A1C3BBE0187533DEE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:10.108{8D4DD44E-78FD-616D-1209-000000000402}23524132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-78FF-616D-1309-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-78FF-616D-1309-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.936{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-78FF-616D-1309-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.937{8D4DD44E-78FF-616D-1309-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:11.796{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C74E7E30E353410A7223637FCB100C,SHA256=3D425F52C068981C3A40AE369BE1F41C98C2C632860DC4C1689657DD7166CDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:12.952{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7538E761DA306C06F224ED567911227B,SHA256=ABE395304479095929DCB3B58C99B9075587B5AD36EE560DE5791B140372C340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:12.811{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB86164F03D17772218B9D4AD6269C4E,SHA256=E6B55A2844571D485DCB599836C2ED6B22ECF5CED51ACD2F4E9F0D2B63BF24C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:12.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114C1D7D954714EA2825C1B5F4813CAB,SHA256=8D097EF1B116B8BDA1F3C596D7C9CBEFCB70B77694ED28564060FFEA7A2A3973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:13.952{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854A06AF78A72ADC38E575A4702E7B33,SHA256=E26ED66586901A428BCDDDA9EDFDEED91B374BBDBD883B9C132FCEF6882472BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:13.050{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CDC845E3988609D19DF231089BD584,SHA256=954B572D7751377CCFBD6315C59320712EE02CD6740BBC2AC8D4E37936B5048E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:14.968{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF7A6625D9616A66E5911DF932E3918,SHA256=B647DE83C4B1713DD943C1CC25CC6F6F202EB4745BEA9DA9A62D5F6EF1011597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:14.097{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EC98AF61EBAE2FD99B278B294279B5,SHA256=C22DC3851CB69EA1556CB9A2A1E47D0DB250B1C6EDA8345385CFACF7B45C16A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:13.634{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:15.113{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D838E19678759B6AB8E9F51914B80D,SHA256=ABDD429E25085FF6D96D3F23B19A634D9F11F60D171711BE6E20D6D9B4B4C7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:14.919{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58997-false10.0.1.12-8000- 23542300x800000000000000041384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:16.186{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F7272DC49CCDC19D6E3FC9E2DF626F,SHA256=3FD26E27F87D48B231ABD78536BFEE5EF59D9814AA2A85B2F389F7CBEF0D2AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:16.144{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061E371B95687C7CF57F79015B1D74E1,SHA256=0CC3522AC9B86AA14EA4DE10A4C736AB5333ED297E192AE5E5B5B078D35DFBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:17.421{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D34D973F5150A7006D262FBE377EC2D,SHA256=9D24C39336E515BD9908306937446A7FD704CAB3951B474DB171DFC49D650C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:17.175{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E11F2E47ADD041A103E9BFCE677322A,SHA256=C968CE21ABFF7AC5A52A5CBB1C94D049BF6093B647FC90F2A174E77A16FA3EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:18.655{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2D9C71D9A0D1AA5A8EF38216EA6DB7,SHA256=772FFD648D495FE497DDB0D2A439406A48ADF2F1B8C02197771CA2494B2D53A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:18.191{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67FD9F548EBF3B67AB5A1912C402741,SHA256=8FF569F1DFC37E19B18D94356EDC86796FB26F5AB96DAB287657F5E016A6AC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:19.655{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE98BC161482F014A2DB65C4E905EA58,SHA256=330F25D373814D79FAA233E457D3C216919C68EFF2B328CC96C0569BF7E791D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:19.269{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B3E52E750C04F88C1D53ECE17D5419,SHA256=3BE47BE9F9CE129D45A9811EF0A7F5F458829277FF45087C86EA5BE23C47B9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:20.672{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B3B2BA46370DA516C4B0BAD7BD8F6A,SHA256=063F6E52F69758FE4B9CD41B31FE62D53C488FFDAC8A8158C6E0836B89E2F43B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:18.743{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:20.285{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E26F39D023A53CD018DA20CF01ED15,SHA256=72CBE63CA632D34B2C6E990CEE372BEA243CCDDEEF1D0F0FE58110DCD6D7A95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:21.719{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419276BF4F36CD06E4A712AD482B3953,SHA256=696D5E095CB52CFC073B23AC35F2FCA22EAFDF830052446381AF715FBB118264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:21.300{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51EB1CB55328FA7D3B7E954D0E10574,SHA256=07C6FD65B22D8C53382852C7FE30C7AE6265D28751DC3DB529A3597C5E8717D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:22.766{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE4A11D7533F23D895F0D5ED371048D,SHA256=9DDC1E656E008C794097B009C75F0B2D149F356647FE5B4BC8F8A7CE6F08C83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:22.316{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D131B9AAE230680A9FB7CA483F6BEEEC,SHA256=A0AB7FB978FE9CFC6257E00B2B401A0FCCC063ED665FB55802975F92BC8E03B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:23.781{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A33871C8027DCFFEC681E445E7F34E3,SHA256=A30C1FCA8D6F061B11BC127151290DB6D34A2E4C9C11DEB2F3FBD5E0DC9AB47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:23.347{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900AB36F39E03389F565547E7152F4CC,SHA256=5687D528E2A637EDD2C7C780F494C859144E0C8B2EA2E6206590F523956FD338,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:20.905{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58998-false10.0.1.12-8000- 23542300x800000000000000041394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:24.797{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B90BCF826B1CE2CDD625C7546B5AD7,SHA256=4970F7ED9B655626F69B5D8F137B10640E38D778F0B4106C7DA4040E149760B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:24.363{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E591BD2539B508BA54829311C8230CC,SHA256=5F4E633F29A66EE1DCA4F90A8270C19C4C438E41B0A48A93078F556DF71E0776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:25.798{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F7552AC8CF50372F3CA73B026CA9A3,SHA256=453D7CD272E9E8DB9A850C25B1C9E659FADAB5621E94B9557E6E7BFB3C272165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:25.378{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC4092063D48D6690677843468F4E1E,SHA256=6668FCB45678194F3CB7B6939146B6C98E82C76F83F0EDCF2D1C1952BF633CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:25.378{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-121MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:26.812{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC39E4D06D3DA7FF5528F7E78DF608D,SHA256=B003854ECBE27A3B6BB172D17C8CCE7C150941B898015EA85E2F902183FC59F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:26.441{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9CD0BD2C7331B2F37822350FEF2C01,SHA256=9618408738CDF27761FFB59C4850B742A4A5CB9B954A370D740B5D853495419E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:26.377{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:27.825{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABA5992877B4AF38558A4F98CA78FDF,SHA256=DEF6E1C9F309F1F6CFD7A8925B94EB19237BB13BFAA65E2448B436F8EEB0EDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:27.485{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39DC17402E5AAAA6BF02B1D223AF124,SHA256=1E43C68DC72CA6000ACF17FFC12B3FCABB06B05C5500E20E9540711B5457A6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:24.774{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:28.840{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FB4D5C359783690AC575A6C64504E5,SHA256=449ADBEC34DED9F6F26CB94C1B5897018BE5274211C04F7739C5C6DC0A064B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:28.501{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702B637BF3C08A5BB0F2BC52897E978C,SHA256=B1CA6D5A56D6046473F443239BDA2161F21C8E2072BDC1B4457F27ADB26603C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:26.093{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58999-false10.0.1.12-8000- 23542300x800000000000000041402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:29.856{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A739C776FDEE75DEC92868EF9490AB93,SHA256=FE82E6DC2964C2E061892A251B689A651B7844C0DB0F0E1EB9136D58EBAF7B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:29.532{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60956B46EF0D134375F0FF7E9CC149A5,SHA256=09ADA32BB33843D4B02DA918062D6441465562FDA315211DD2B43D2BA52C8E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:30.871{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1AAF2B3A1074A9E466364EEA4B2644,SHA256=9DDB4A4B0BE88D664739AE0962AA154D37387456E968BD31A7091F2ED0DF3DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:30.548{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081EB5ACE047CBC804538545A359EFCA,SHA256=C7585CAE707E4FB9E90D727847316D792A9AC4ECBC0824B27D65089BEC46936D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:31.887{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6127A17340B322C2D3ADC56E46BFE894,SHA256=B3D9B0F270D2E10E25F7A1E14D24818105EAC131230BF1D2194AD41E65455423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7913-616D-D406-000000000502}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7913-616D-D406-000000000502}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7913-616D-D406-000000000502}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.970{6F8252D3-7913-616D-D406-000000000502}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.563{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402EE8216201CFC57F7E5C88043C523F,SHA256=135F6AB0E16F53D73D18B1E4FFB543EF7DF4D0AEF9225746C49EEE46CF4B5029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7913-616D-D306-000000000502}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7913-616D-D306-000000000502}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.454{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7913-616D-D306-000000000502}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:31.455{6F8252D3-7913-616D-D306-000000000502}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:32.903{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCF705BD0F0FF7DD7F2E3D9AE52EA0A,SHA256=0ED5230C8A5E1EC8E98C2AF9EFDD8FC0B0C3E5584F1F8999DB3017AAC8C820CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465380DEAEF8A0098D8CCFE1B5565354,SHA256=A1BC476F8D654277F59B8F28DCA849A41973DA0AA3FA28CE87CC0B6CDFA70385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7914-616D-D506-000000000502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7914-616D-D506-000000000502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.595{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7914-616D-D506-000000000502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.596{6F8252D3-7914-616D-D506-000000000502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.501{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC563B995AB2C23A4B144268A27CEF4,SHA256=558A6B3F349EFA4C5347B138DE4711B68BD404EC3819853EB9C810A54E734152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.501{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5DA2509A47B8FB7E473D63190A21B86,SHA256=686A6B3167F4EE78E6CAB3ED58706598216415E57148CB2B0B6101ECC8BB0CD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:32.126{6F8252D3-7913-616D-D406-000000000502}26364044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.829{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AA63BF4E46868E688DD1CEB988BCB2,SHA256=DA82764BD70EABE7D0E7ACCFF71AF5F93821BF6A4E41DBE61875334D0BBF6A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.829{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC563B995AB2C23A4B144268A27CEF4,SHA256=558A6B3F349EFA4C5347B138DE4711B68BD404EC3819853EB9C810A54E734152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.704{6F8252D3-7915-616D-D606-000000000502}25283936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:33.903{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2101C542316C12AA812624CC030A1F7,SHA256=AD1BA5AF7B36FFC50342172604DA83B1FA423E8014490AA4E38F3410CADF5A7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:32.073{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59001-false10.0.1.12-8000- 354300x800000000000000041412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:31.963{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59000-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000041411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:31.963{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59000-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000041410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:33.184{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A93BE1F75C626838691064915B9348DF,SHA256=48F49484671A614506970B62A47FA26E295EC4893907491A3F76A4381C185A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:33.184{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0FA3A3F8643FA0478A0B210DD0E7EA,SHA256=3051D9DB5DDA50713E322297B347C4D8FA3D34760416826F2558937EE531F82C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:33.106{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:33.106{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:33.106{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7915-616D-D606-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7915-616D-D606-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.532{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7915-616D-D606-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:33.533{6F8252D3-7915-616D-D606-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:30.662{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.970{6F8252D3-7916-616D-D706-000000000502}36323804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7916-616D-D706-000000000502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D925CF56871E8F660D5A414803F64BA6,SHA256=62136DBC7FA79B5467D6E1D657DEA4D1A93066E0E14ED9E5F16E897AE5E85BEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7916-616D-D706-000000000502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7916-616D-D706-000000000502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:34.720{6F8252D3-7916-616D-D706-000000000502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.965{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.918{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460F190525257B2E340789B0194D5F42,SHA256=2B4FDB747C13BD9F8FD2DA593780AAFA626A773DB4B9AE39D4C0DD4A1B75AC00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.907{6F8252D3-7917-616D-D906-000000000502}30123124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.767{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A66B7951943A2A28924A7000DC69D131,SHA256=6827061CDD2FC012386F6B9DAA89DDC49EE9F6495FAD3B23E557AE0EA6D0C496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:35.934{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6FBBBFA137A77FC07E2E9F38B67868,SHA256=B745A40BECABE1E525FDECB9FFD84DCEF6A9E037562637B05050CCA342E3F27A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7917-616D-D906-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7917-616D-D906-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.751{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7917-616D-D906-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.752{6F8252D3-7917-616D-D906-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7917-616D-D806-000000000502}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7917-616D-D806-000000000502}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.220{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7917-616D-D806-000000000502}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:35.221{6F8252D3-7917-616D-D806-000000000502}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:35.075{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:35.075{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:35.075{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:35.075{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000041447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:36.950{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E2C7FC834510F3CFAC5ADD4CB7342E,SHA256=DF5442D005234AE804EDFBB38ED82B9E3A85EF75A2FF7A13F6415A7784DCCD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:36.767{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D14837C613803AC0FE8E16E42EBC20,SHA256=EFC5EB71610A35F9AB280A2A1529E6A1F735673F4D232E7422F1E9BC11AB4124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:36.110{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B549F148A2113A6BD27BBD6B72D7B31A,SHA256=DEC0E802ED7AE9D8052B0CBE3E28D0C9745D61ACF2D97D8C628981C98A03A8E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.953{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59006-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000041445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.952{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59006-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000041444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.858{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local59005-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000041443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.858{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59005-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000041442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.844{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000041441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.844{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000041440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.843{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000041439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.843{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000041438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.842{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59002-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000041437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:34.842{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59002-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000041436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:36.106{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A93BE1F75C626838691064915B9348DF,SHA256=48F49484671A614506970B62A47FA26E295EC4893907491A3F76A4381C185A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:37.813{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCFF95BA5A0A5FDD6B4F62C6CA17E6F,SHA256=DBDABDE9BB662B8B24CBF9862093E5C30EAB7883EC6B4F2F947CC6CA57F11CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:37.965{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC9463D18E9FD2E7C901E0734D0D56C,SHA256=DE20379B10EB18C706F997270EBEC058DD43DC0F28F12FB31178CC6E78C59020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:38.860{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851AC84139F9ECF2FC8263FDDA31036F,SHA256=95EBA1B3AB581C7A8FDFE71BC37238A9E0827AFEBD29E838E7DE5AB7EF1A9915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:38.981{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607F5770DE622D5915EB5F6A26471F9A,SHA256=23711AB2D984CD3E1ACFF38D793449840A85096CB281B130FBA62148025C80EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:36.584{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:39.892{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC27792045BA9F27DBA1E4771D4BA45,SHA256=94AF9496FFECF2254E61F027F6EA6B206B61986C01A75E8EC912D8A938ED9561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:39.981{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A6019C32D56B6D770787A68AD617A1,SHA256=6B7D0037E999E21530910383231E8ECD53DAB9E019CA2683D14EF5FBEBA81A45,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:38.042{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59007-false10.0.1.12-8000- 23542300x800000000000000029219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:40.985{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96B10D868144ACE223AC55D41E6ABAB,SHA256=A65AF51A518B0E9BEAB858EFCE577D85C62042DAAA1368D4B6C34455F028989E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:40.996{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C6D8ACDE816849A8F5F169E04EDFE5,SHA256=7654A7835D174C8E28F364D07F321A7F9EE53AD46FCC8936D4E9521E69EBF4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:42.001{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25495ECB21599313BC9FA4AD0F6CECB,SHA256=39558ADEEE916D6720D3043831143C5843CDBFFF943A49762F7D9C851E62B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:42.012{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD67BDF6E8026B73EC098233274237A1,SHA256=17EE35E90E1584858C63EEA44796D6EB33A807BF1659221E8EB713981361712A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:43.001{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B03B60BE6783AEF0542391A5DE7F847,SHA256=473F651A4078CA1A892D09649990458B28AB347CAED793FB3DA188070F809520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:43.028{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0CF8889F6A789A099328E3C75B247D,SHA256=0CD4907606F227B4F38B665291ABD83C64ACEF36DBD2A6AB2433075B595D2C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:41.787{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:44.063{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C170527AD0D912F82FFE285E666D2262,SHA256=CADDEE7D5369C4FCE2E4A1DB984B7031204795B5FB104DF5887601260B60D3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:44.028{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB52142F2F7CB5B03B5BD7B5FEB9270,SHA256=0771383DDEB7FA83D4D20A3D4131FCC2FF15A0C4E8592A58B5BF864CA69D23AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:45.095{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894E13456289D9AFFFC49D50DCB4A934,SHA256=3E22E3C57925CD8912BFDB23BA5F9CDE5C816B9EC33C8A4B1BA3B239D377FAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:43.949{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59008-false10.0.1.12-8000- 23542300x800000000000000041456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:45.043{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73EDBE9E77088F6931CDC0923438C419,SHA256=EAB53D9D3C9F7550138BA49DCFB943F07E876B1D8D41194C294ECBEE5E9D400C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:46.110{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB38E3B25490ACA7975CAE664B278FB,SHA256=ED10AF4367225ACA6DA4EEF2A2BD43F035AA69C61A13268E822F4313C6C48CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:46.059{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835E0DF7AFF57051EB46FA7D6CBAC325,SHA256=603BBC68C27E756C04D794653F7B90FB80FCCE9DF4A259D4A23E6013340A6AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:47.059{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1443340B065CCD5A438D5DE51982761,SHA256=BAF65DB682920AB0FB29C23C5305B9753DFEF8663AEEBB0D8A9F0F996CD1FE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:47.112{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9E782BF7C684319182934986614A82,SHA256=02AAD5558F16B8259BA641B8EEAB8D520151EBA88D8417F115F4EE2B1C02666B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:47.098{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-113MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:46.997{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4472EBA2C930BEC79AB86B5F3FC9DBF,SHA256=97669851221475D1CA411563B445B5162F8C90E5C6CB702E8A5DF25DE9DBEE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:46.997{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AB5BDB7B044CF45214F65AE1E8133D9,SHA256=199BC480F8FF8C9650787C96DA6615CC516DC34401A73F0F0EAEB92E0D16EDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:48.116{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D55B07E0EF49420AD2231E5EDA09CF0,SHA256=9141BE41292CA5D741B4D31A9C8401BDF73573961685982517FFBFE848278314,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000041465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:39:48.403{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x800000000000000041464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:39:48.387{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x800000000000000041463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:39:48.387{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 23542300x800000000000000041462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:48.075{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834E20DA7D7BD2696CB45B17D419EA1D,SHA256=1EF304D75B7D7FAAEB36835D5CED662453FC43650224DDB75958CFE32744E051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:48.103{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:48.292{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59011-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000041472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:48.292{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59011-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000041471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:48.282{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59010-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000041470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:48.282{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59010-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000041469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:49.403{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4472EBA2C930BEC79AB86B5F3FC9DBF,SHA256=97669851221475D1CA411563B445B5162F8C90E5C6CB702E8A5DF25DE9DBEE3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:48.262{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59009-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000041467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:48.262{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59009-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000041466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:49.090{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E086C4E10936F9BEF47FAE66DC2F16E9,SHA256=A58D581E19F36646150A71C38C3EDEA7D3569BC0602C5EBF6C66F951591FE9EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:47.682{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:49.165{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207B9D09294583F327D2D6AB906DC1B1,SHA256=F33105FB8DC635FE1EA7A8155045C10CDC56520A9E54CE6DE382AB04068D95E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:50.196{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B22F3BB9C6C43F7AAD1A01F83693025,SHA256=A6254C2BA13D674C8D5116909BEBA286F1993C035AC4F1D14730D61D9766CF32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:49.010{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59012-false10.0.1.12-8000- 23542300x800000000000000041474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:50.106{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBFEBFCBECA967F50C7BD62477AEC1B,SHA256=45F919674E1AEA392D36D34E5578AE132757D3776609308F265D47A6A17101FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:51.122{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C32937653F7088A171D7992F728F1E,SHA256=F40229A74161731010A9E48F50C4CA9777565AEFE7289C9DEAA8DDF0589E207D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:51.836{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3C1E112E6C52075016CF932411E668A9,SHA256=32DB7BF426E03BB879365CC6241483DD7A9D6AACB73F30D72C1CD2E383E54500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:51.211{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B135258081815598B7C2D27A429D95,SHA256=367213FA99BAC157FAF5EF30D35F61285F5512AF6D93CDF814309945582215D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:52.137{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FA22A68C1529E3D6B182676460CA96,SHA256=0A7FCA91E4F9D3EBD1A5279E8E0FBDE5F1F32F67173E5715D338653D87E12D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:52.243{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E2E5092B34BA872D82CC154498C955,SHA256=FB52EEEB6E340FF45CF5B3ED909A9EC718BEE58970E14C25A7A6F1B09FA53E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:53.153{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C5B03CDC0BEDFDB76F4D0D52475697,SHA256=209EB55EBC18EBACA518F3CCE73244D12E1EE9188248800541AAD2A82C67EB87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:53.790{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:53.790{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:53.790{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000029246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000029245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006b3792) 13241300x800000000000000029244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c41d-0x3f4c99f2) 13241300x800000000000000029243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c425-0xa11101f2) 13241300x800000000000000029242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c42e-0x02d569f2) 13241300x800000000000000029241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000029240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006b3792) 13241300x800000000000000029239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c41d-0x3f4c99f2) 13241300x800000000000000029238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c425-0xa11101f2) 13241300x800000000000000029237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:39:53.321{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c42e-0x02d569f2) 23542300x800000000000000029236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:53.258{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F469A8884F0683F9EC69ED85D28C71,SHA256=3436E34AD3AE794FB995124A28339C0A22251CFE8CCC914E59CE019C74F0CEA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:54.387{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EADEF557A369D1A9C5DEBB81E62131,SHA256=B546EBB655BBC749CA6866E8043F5B61C9911C97D5C5E2ABFE369E479977C9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:54.290{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D54FCA7C2D1225A9134ED60C398FE7,SHA256=8ABBAE00872C09421F5F7CA404CCF5D36AFFFCB5870836BF89CC61763115E9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:55.621{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956CAC77AA94C637C85639424004FC66,SHA256=DF906FEF7E112BAE6F2552145E0C31ACD25E3902E4EBF0844DA477765853BF27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:53.622{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:55.305{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FAAFAEC6F7DAB28326737A428B3638,SHA256=4156BC4BC24EC3EC28DE9F122B9363CA532E15F073229DE07FD80F3F0DE500A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:56.747{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E693A55827CD1512DE658C2E3C9ABE,SHA256=407E2D9C87FB80B308B6729EA22DE2E54F4DB1A94FBEC64D1A75284827560EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:56.368{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1185FC20082AED8C3A5192F017B4554D,SHA256=CE9DB6DCD90FFE1324B5B6F58478BBED1CF0C8651BF7DB20084632D90A44E6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:57.762{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361813D7B4BF980756A13DC3FF552AF8,SHA256=C35E52093CFBE3E207B76A660B61C40B6E7C6A69EB091C060922F6E1E1761504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:57.383{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED40C571EE51321DF80D022E11F69A5,SHA256=AA1484A7C80734F11914F90F0521DE8FC98BF2FB582524142C903E5E2D684CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:54.995{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59013-false10.0.1.12-8000- 23542300x800000000000000041484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:58.762{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937777F74FD9D7808800D24417B27E78,SHA256=9CDB426C137E480BC6763CE56C429D343FBB28D88E19C9F51EEE01F270F35D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:58.399{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711DD224C4791905EA7D30FFE2B426A9,SHA256=2B9F6376DFD3DE9AA570C0CA9E02842A8CFEBF7AFA5A42E9A9D187812EC38877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:39:59.809{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438E4EB7638B1712195A6C8F4930CC07,SHA256=D4FAE920C68BEEAD9C864BB2C07B95E291435B1974E538D7FCE40BBD405E805C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:59.430{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CE6D499582E023932E9C9F1DD3AFA,SHA256=429CF087ED4589675ECA9668EF70EB0344DEC6F7BBE33487C9530A23B2CF457E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:00.887{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F4FAB1594B2E192DC937A1C18CF724,SHA256=4686FBBE6375AB74716EBA781FF71F206C3DC331D2727213E8183A585D0860B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:00.462{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FC489775A7D8998665422254FE6727,SHA256=EA33B662982D5CA0A45947ECA6619C9BD36C9A859C50D79D76E1F13D09CA2724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:01.918{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCC5791DD9544DD701358651CD5E148,SHA256=42367E307E93A12A0013688B12FFD4AD7542AA511BD700533F992093911DAE71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:39:59.622{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:01.493{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8413BB6039162C1929CEAD6F74809CB,SHA256=46FB381C1E1B83AA830424108AA20E06BE95BEACD432683B7A18481D9AD6261F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:01.121{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AE6231C24FDBAD545DA97DA9179F911,SHA256=1B7FC12165A7A9E9E6EE69AD24D3FFAA95724F58A67BBA9EBCAFF5AF14B56188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:01.121{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A9E7D4BB1EB56D560D349B6479B0087,SHA256=DDBF0E3447ED3C39B2CFEB191F4CD2EDA3E1E442F765661741B9DBC74C1860DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:02.934{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47DDBB31CB04E0FB83C98D075759977,SHA256=8C0964ED0E3C963606CD6526F6CD9764594257D190B3EA2BA5381D964BE1A0AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:02.934{8D4DD44E-5BA9-616D-0D00-000000000402}9043884C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:02.508{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17E02D5FD6486BDCB85F65ABEDC7ED8,SHA256=F1641E89A4BA6B84883F695F58941E0340BBEC8F88EE5D243A2C09875A61A98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:02.700{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AD82D8E2CA57FEFC00332C574B74C6D8,SHA256=D59F39C0EDEE1ADD01C8EC73199B03C2DA5D12180DCA33235C984A18127F4DC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:00.042{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59014-false10.0.1.12-8000- 23542300x800000000000000041494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:03.965{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D898147DD78E17C0C01159622DFD570,SHA256=F9453F9F0934786F349B165CC27B7A6BF50DF62EE37BA209F13D8D930300D98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:03.524{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8A3D56A3A08D50AD2DB16E7CB17C47,SHA256=1B997398D221A7FE6508181B8DF0911F8A363ABBCE60BA37FC03189F0059CFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:04.981{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D4CFCD317ED7072E0E4F5B001741FC,SHA256=7F41F43F431DC10233C0DF0E309DC22FFC4F3E3B6073967D95089A0F66FC05C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:04.571{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23A9B65194CA488FF051D09CD96FBE0,SHA256=84811487085A8293A616BEC6428A2F59DD2C373535E9F9F83F829850AC9917FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:05.587{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8303709EF1557F66BF949C28AB005E,SHA256=7110F5D9960E5D75F8440FFF46D14BE691B32229F9EE0F2B55575A9DA38FB788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:06.634{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D475DDE6E5D9B22D1064593A5461F2A3,SHA256=259DD52F7F0F5DBFD9CD628E4C04B588A245FEDB1DA0E469FF1DD9B9D843A4D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7936-616D-1509-000000000402}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7936-616D-1509-000000000402}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.840{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7936-616D-1509-000000000402}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.841{8D4DD44E-7936-616D-1509-000000000402}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.653{8D4DD44E-7936-616D-1409-000000000402}18484392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7936-616D-1409-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7936-616D-1409-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.340{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7936-616D-1409-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.341{8D4DD44E-7936-616D-1409-000000000402}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.012{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA85522C93DECBCAAAE95F195A1196B,SHA256=12F9376EBB2AF8E8326AA7984EBEE91653F7EE7DDDFB2DCD4B653B14A2A31406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:07.646{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67721E727EDA686ADBF75232DB9C67F,SHA256=8D1FB0632FE285D57559864C5E574F207BF99D1DFC1E07B7337C0B5885D50434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.751{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:06.041{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59015-false10.0.1.12-8000- 10341000x800000000000000041539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7937-616D-1609-000000000402}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8581197AC1D1A488447993923ED40F66,SHA256=3FE15B89B8EA7CADB16F7B32D324E150779198F0E307B9FCBA88A20C600E727B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7937-616D-1609-000000000402}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7937-616D-1609-000000000402}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.472{8D4DD44E-7937-616D-1609-000000000402}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73390E69C05D9B09EC26DD69A03C010,SHA256=66A31C0663A6892ABA9FB6650B058B8A98A310A4D697EDA32B0B8BFE038A4333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.470{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AE6231C24FDBAD545DA97DA9179F911,SHA256=1B7FC12165A7A9E9E6EE69AD24D3FFAA95724F58A67BBA9EBCAFF5AF14B56188,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:04.747{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:08.662{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC0D1D8291B752FBCACBA927D9B0030,SHA256=AC329156EC37C16CC0E194D6E6E8EE9716E714C501A9DE5E3960F8D06C4688DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.720{8D4DD44E-7938-616D-1709-000000000402}34281036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.595{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CBA2FD9910A4E3B649CF0427556594,SHA256=3AF740CE4EF8A06DE6831278EC8BEED27948D17C821C18D1D326D23B9CE4DBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.502{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8581197AC1D1A488447993923ED40F66,SHA256=3FE15B89B8EA7CADB16F7B32D324E150779198F0E307B9FCBA88A20C600E727B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:08.381{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7938-616D-1709-000000000402}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7938-616D-1709-000000000402}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7938-616D-1709-000000000402}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:08.470{8D4DD44E-7938-616D-1709-000000000402}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7939-616D-1909-000000000402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7939-616D-1909-000000000402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.938{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7939-616D-1909-000000000402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.939{8D4DD44E-7939-616D-1909-000000000402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:07.608{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59016-false10.0.1.12-8089- 10341000x800000000000000041572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.673{8D4DD44E-7939-616D-1809-000000000402}45284704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.548{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBB4579D676D571DB5D57551C9CD704,SHA256=E4A2F379477D32B32ECD07CE4023274DAA55BEAED32083CE63BE484F6B955986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:09.678{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F566B94978F2287A5018C444FC23E3BF,SHA256=DF38B8E6DB96BFDF302628CA06002E1869BC7C7E72DD91B59144A4A5CF93D590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7939-616D-1809-000000000402}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7939-616D-1809-000000000402}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.438{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7939-616D-1809-000000000402}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:09.439{8D4DD44E-7939-616D-1809-000000000402}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:10.548{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6626319DA91A217BFF7F7AC763D419EA,SHA256=5755E30FA032191D42BEB31978611242B38D36D20818E0EE2E90757E624877A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:10.693{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC212DB1441ACEB0352ED0FDED7D33BC,SHA256=070B3CB8E378665B1B72D5032699144ACCDE2C1285AA318A12216FCD61451692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:10.485{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63B8F03E926A446AC0771C4FB47F9334,SHA256=F0D4DED29227B2217FB32026E23D3FE7D33975931FDEA5720D82EABA1F36DFFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:10.110{8D4DD44E-7939-616D-1909-000000000402}31365060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000029270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:07.916{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000041603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-793B-616D-1A09-000000000402}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-793B-616D-1A09-000000000402}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.954{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-793B-616D-1A09-000000000402}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.955{8D4DD44E-793B-616D-1A09-000000000402}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.641{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B02C6530C0231149DB4587231FF357A,SHA256=2D834EC47836EA423D9640B43A360E4ADFC31E985B79E6C2122F7640BB8861CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:11.756{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB1C5E0BE22422B6D38B91D9EA356A1,SHA256=ACCCE0E537ECE69AC42890F31043008B345FDFCC8E6A76E06D30892930F9924C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:12.969{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B372D91B7E4E10569892BED8440EB974,SHA256=4765BE8F4489F058DFAB659BFCB5062FE4A5383AA0D62C72FCA4D9F1F55A2C49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:11.124{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59017-false10.0.1.12-8000- 23542300x800000000000000041604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:12.782{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E2CDD7856E01F0E2DAFDA18A99A016,SHA256=A62F8D380E787937EE1E6B3CA82DFDFD373514AA84336C94D7B1172E18D4C8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:12.803{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DE0B7CC353D2F5C27E3BEB255054BD,SHA256=9727650FF24B74D8637194CE68B9C86A80CA0DB5592BA1E9BFB2E5A12AFAF1B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:10.744{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:13.813{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E733153203AD5368FD53D56FCB61AB64,SHA256=AB3192472965FB0248EC2E47C3913AA24FE4434FF5B521A18D280533B658189C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:13.818{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F34A44EC94CEA640BA0385482D79CAC,SHA256=6D608B1B634F7183D2B989735E2695897341A526734A3A5674FCD9B20735638C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:14.834{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529DE4243D39D798836DE216FA8E57E8,SHA256=78671FCBA96260CA517104B1817DC9207491F189B227711D14A00162655280D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:15.865{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D718415F7FCFB79A6C712DD11ED487F,SHA256=ACA39F061E2091C361F8627A2E697023AF31A1FDD91766FC92E4D224BFE88860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:15.048{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4958D842285E38A90D9405ACBF1109F2,SHA256=33A9BF5061C4213A6897E83993838994E67D1A0A668653AF6B5F6341CD301877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:16.881{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F921E651AEC8F7CF20D45AD3F23340,SHA256=6545AABE3539FAEEAA2BBA374682BB340419A82D0C1D4E6085A9DE5B8086BF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:16.079{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9273575AFC29358E7AC2BAE4351CAB99,SHA256=9F9893B537BA85E8A988FB25328A60DBA17A14CA17CF928C4C1E635FB29E92C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:17.881{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC84321C408DD871200E3BCA7763C7C7,SHA256=1A42C2BDB6F2BCC3914FED7BC80F08063AF6631972D99032BBECAB19791BF13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:17.094{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8465BECEB2BEC8F3278F5E6278596BDF,SHA256=D30625A6DCE99833534C979AE7728E33B4635607AB17E3E41F1AE8D1110DDBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:18.928{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AC488ECFA67A241D4E1AA5BCDBC156,SHA256=62EB1D5E5B2367FD029CCE09BD22F367DCA2036A0484B3AD1A5FBE53B78EABE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:16.921{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59018-false10.0.1.12-8000- 23542300x800000000000000041613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:18.157{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4990D463780C1DE11045532C22960860,SHA256=11A8832DE75E6905F8E05977ABFA91C689BFC51A9018F3C25D477F32C835CB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:18.157{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5078F0357957E8990ED42E6978D6976F,SHA256=855F4111E0349D6D39589F8297DF80649735B03EA338D1FDE9EA9CFEE21B9A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:18.110{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A17E78A3456E8C9046168C2396A8CA,SHA256=16F87E18A813804315E407C7C796B525538AAE05789F2E2605269D30C186D21F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:16.650{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:19.959{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8183E2C02D6ADCF882930E8B64E570,SHA256=1FBCA808A51D0C9C3A78CCFCE9E30BC212369583E579F351DC1DAFFA75C40D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:19.188{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB9C3D8B040770C00C0C28EDB29051D,SHA256=F8A5ABBADEEBCC4656857FBAF992174171624FFEFE5D9478772B826C65176287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:20.975{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D195B4A635C791A8361A7D9CF2A55C8,SHA256=C660619B70403B591694D53E7E01608EDB616D08AB44EA558E9493905B83C20C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:20.204{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979F6896F2617F17A70FC248B4867553,SHA256=8BFE52EA0C3233EFE1E63B8042B1CE6A2F6173EB30D912A4E6A10262F4927920,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:18.822{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59625-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:20.771{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A64700978A7916E82A4B727117029C9,SHA256=84DB30BAB5A97D11F30D9DF54D54007903B0B09D18D0016762986081E0C56552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:20.771{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3EB84A3E8B8CC2B4AA49901CD53D6F0,SHA256=FEB257D2B618C9096BE19D33067A07482B75FBE04AA6279295AB623F8A251ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:21.990{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E18922EE24055CA180D181DA34FD36D,SHA256=4BC05B2C3AAF83FE78D59E6ED381049E111C08988111F8EA47C91AAFB0AC22E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:21.235{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73AEA1C94F3A21F22DD4D4703C99DF0,SHA256=0D4B75B87E4137B7070378E365F8F1E9C7F69168FFC8721F2DB53E0CDF9F8BB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:19.314{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51156-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x800000000000000029287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:19.313{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51155-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal135epmap 23542300x800000000000000041619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:21.204{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4990D463780C1DE11045532C22960860,SHA256=11A8832DE75E6905F8E05977ABFA91C689BFC51A9018F3C25D477F32C835CB96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:19.632{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51156-false10.0.1.14win-dc-185.attackrange.local49676- 354300x800000000000000041617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:19.631{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51155-false10.0.1.14win-dc-185.attackrange.local135epmap 23542300x800000000000000041621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:22.266{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F08237EE1064FC05D54DB7A1074526,SHA256=B0E8364CB494F283156FAB4BD1592B3C0D0A48FC684EE2D4A855DFE4DB05B520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:23.282{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E876B22C1E23E22760FF6B6CD80A4445,SHA256=E953A503EC9799A5C17079B83C1E840D63264F2416B47F1DBC10D86E8AA9D729,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:21.277{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59819-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:23.162{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A64700978A7916E82A4B727117029C9,SHA256=84DB30BAB5A97D11F30D9DF54D54007903B0B09D18D0016762986081E0C56552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:23.021{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E844B9AF10E29DE36F63D9043BAB0246,SHA256=95847C2DE37A731A2FDAD1531B4396439B73A2AC86398C289BB708EDEBADAFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:24.313{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998AAA3EC001C3585CC5D36B58695EA5,SHA256=AE7BFD6D8E1F148663378BA27940DB4B1639892295E381E0F29C987A5DBA3D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:24.975{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C825E74CA0BF91F06D7C4CB549A1E81D,SHA256=FA7253610EA961040CC2664BE779917634AE38470B779C10EFAAB15E120CB1E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:23.083{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59954-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:22.618{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:24.053{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874441ACB7390FD68C1DE06CA638A8A8,SHA256=621BCA4EA91C5B5E48A4ECFDFA48B9861314E5E46733074FDF9FB165F6738254,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:21.936{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59019-false10.0.1.12-8000- 23542300x800000000000000041625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:25.329{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E42BAD6E0A12F53412D3C48CE917E1B,SHA256=EDC3CF88365411B4D4CD6C41195E74C24131FA408D28991BE91B11F5ECFDE4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:25.084{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7A37C4F8240A6AF62FA9D1B9EDFF04,SHA256=B8C96BD7CB029D2FE283912691AD09FFC52CA2641F15801C4D1D623D164B1840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:26.895{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-122MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:26.360{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD419417DE0E2F226AF559687167557,SHA256=4ED731E6329CB76EDFE1965859E9C63322D45B62B2C5EB326F507B3FE6E3CB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:26.678{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E6C9C1F3DE71C77207326F5AB8AD0EE,SHA256=9D526972F275210B736AE345E99A732CEC3660308A5951606E5852BC496E05C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:26.115{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D164C8BD096DFF8FEF15AD7C0CA1061,SHA256=276394D906E13EB537135F8FB9FB7CAE7B3BFE69D732F24703A555664655DA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:27.894{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:27.596{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6700B7144C7BD56902BBD25ACD84F7,SHA256=265B889C5AECB6F5AA93944D19337BFED156A3A0C0BAF1388AAECC8940A0ABB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:24.778{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com60091-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:27.117{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E5853B06A73F8A26C0BA36F1DAE29B,SHA256=7EB8DADBCAC6834B90FBC7C2CF41730A21FF2B0D63755BBA29090E1AAF874F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:28.598{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5198B1D137678F5F8E18CBCC683773,SHA256=230389169ED9EC3B9FBE91273DD703361D0AC6ECC5A61B81BBA9185D09353018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:28.132{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31FE43C76A598A49D9FDE22CECCD2F3,SHA256=F7C8272021B3A7B3B9B8F7CFCFB1D830130A006E2188D1487F97A164627EBDEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:26.954{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59020-false10.0.1.12-8000- 23542300x800000000000000041632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:29.613{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813D3B1C272B42018C52A68EA46B001C,SHA256=E4E62642B9B13BFDCF870DCC18C7B9DDD4761B276D4EA9357481D668E9EEA83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:29.226{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECA9E94D3F4BEB979288B2D555FA10A,SHA256=D93317CCB8DD1CDD96FAA64189B7972377A00DB92C40B0A77526F871C255BF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:29.148{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E44B955DD4CAC36498B5C4871451512E,SHA256=44148C0B58EC8B9CB43A6EDFB5CF86E4FBCA916EEF4CC98C1275D468FDFE2F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:30.257{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2211894111F1A89F881E5ADBED525443,SHA256=5E29D042DDC054BA045C3D9F16AB0530FF91C87ED288E20A6792D60864784658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:30.613{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A643D49C1A9A1BFED1EB091CDCE9972F,SHA256=4EDC1E32E9A3F8C462DDB00C93988322837A56BA274D70900591705AAC8273D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:27.620{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:27.258{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com60292-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:31.629{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C49C8AC360D60DB66CE0D938591BD5,SHA256=8F7B683AB195423E846D369EDFD83C72910F8F40C7DF64520864DE9CDFE450D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.679{6F8252D3-794F-616D-DA06-000000000502}30803540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029322Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-794F-616D-DA06-000000000502}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029321Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029320Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029319Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029318Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029317Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029316Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029315Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029314Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029313Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-794F-616D-DA06-000000000502}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.476{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-794F-616D-DA06-000000000502}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.477{6F8252D3-794F-616D-DA06-000000000502}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.273{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316F891345EB1A07F35358CE6889EEAC,SHA256=A8E7E027D8049CDD2481AA952BDDA582C6987C1936F5C1AADA67BB16D8BC9665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.211{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8201908E7F979A86EC8ADE2E2E9D1725,SHA256=46A822D3018CA7935E4A606E0ADA4F4780A95AA68C0AA30E433A2B65F2BFEC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:32.644{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0370F895D008039965E1193C67590EFE,SHA256=C00DA58781ADC41D5909D29E96B95A6C01AA72872A166E90DC0085A41C74A888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7950-616D-DC06-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7950-616D-DC06-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.648{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7950-616D-DC06-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.649{6F8252D3-7950-616D-DC06-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.507{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF7351E994157740D042E5FE656152A,SHA256=FC896426AD6A4AF1B7EF818251B0BFA9F042D7536BDB42029D8FAE0F24A82984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.336{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835F5471E226E0BDFA91A8BBD4C13524,SHA256=5057ABEE101F779C3E55D0847C5E164F45B9D2BCA01F0992AAADE37D0D4C4CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7950-616D-DB06-000000000502}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7950-616D-DB06-000000000502}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.148{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7950-616D-DB06-000000000502}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:32.149{6F8252D3-7950-616D-DB06-000000000502}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:29.321{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com60454-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:33.660{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DC75F299A40FA1454B128550940114,SHA256=988132C093B1136D6B0EBC281AFDFD186B2BC351CF19F74A39DB4B79AAE20C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.820{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F6C79FEACDDDFE1603B16FC781AAD97,SHA256=627195A62339C6B2EE4456D70E1805A91CB21760F526E03EC961080F2D05F88F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.742{6F8252D3-7951-616D-DD06-000000000502}10803652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7951-616D-DD06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7951-616D-DD06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.539{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7951-616D-DD06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.540{6F8252D3-7951-616D-DD06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.351{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F85C318AF224C5C785165F3CD7532AA,SHA256=F09D6AAEF495F330FD6BA7097584141F6EFC387A81AA71B774A079261001F034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:31.970{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59022-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000041639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:31.970{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59022-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000041638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:31.955{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59021-false10.0.1.12-8000- 23542300x800000000000000041637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:33.113{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE89EADC41DF2638B15C29C58D12E17A,SHA256=4D42D59B288EBB525DCE05F6C136B1246B0EC922D5E9A527D9B6119A61F5CD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:33.113{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=825CC36CA950B0BBEE35D76AEFC30AAA,SHA256=E66790D629AF91255FF9224F3F9B9E94A1B63747ED3CE498BC65A986FEC5CCC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:31.445{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com60617-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:34.676{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F7CA455F0B8B973090C58975A88849,SHA256=E849C0F0FAFD6E215FE70F57B6D7C42DE1271FE978A1BBF88E8DF9917F85D70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.992{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0683D7A089BBE0F281FE807D01B69E47,SHA256=CC0FED9BB808174B01ACA8AE4C00EEEC457C8DF3D5CB1A764BC429110D1DC66F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.914{6F8252D3-7952-616D-DE06-000000000502}17441540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7952-616D-DE06-000000000502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7952-616D-DE06-000000000502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.742{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7952-616D-DE06-000000000502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.743{6F8252D3-7952-616D-DE06-000000000502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:34.398{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C34770469DFAE32761D8F714D8EA04,SHA256=980C40EF87965142B93DAA47B56B867D950D1A806D62DEB67C642D341E49AD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:35.676{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF0890E474444AD284ABDFEDB8E78F2,SHA256=5C2C3247A7A5D98104A9DC4A3479E351847747BCFABA849FE8B849756C730B59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.617{6F8252D3-7953-616D-DF06-000000000502}25202312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA1BA5486557ECE1CEA2E067A0E4233,SHA256=240EE6E58FD7EDD17F1075C208FBA38251DDFFA73A57ACE83A3F57C96CBE2BBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7953-616D-DF06-000000000502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7953-616D-DF06-000000000502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7953-616D-DF06-000000000502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.414{6F8252D3-7953-616D-DF06-000000000502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.104{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com60753-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:36.691{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62AA1A1DDABECE138DB2C15E1147C86,SHA256=34C1EF0E731C57F8EB10C070C196D7BCCB9F77563F1626D529EB354BC897A521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.601{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FC62F152718483B525991F93793332,SHA256=D586F6C74EFCCC4892210A1B4EF1A934F87587761FFF027F383F470DE0F601D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.414{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=151FC5E924686FCFF79963111A0D01CF,SHA256=85120C2A11FF4AD67E007D1E18EFB4FEEEDE82FA7234C094823530A1385AC13C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:33.636{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7954-616D-E006-000000000502}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7954-616D-E006-000000000502}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7954-616D-E006-000000000502}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.086{6F8252D3-7954-616D-E006-000000000502}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:37.707{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E92F7B56CD083A9D7D65D178091FBC0,SHA256=39AE750B3D14E9AFA75831DDBEBA7CD7A32E4A9AE8AC715EE93206D8F344CD58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:35.101{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com60913-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:37.429{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847FF7F665F6F2B59A009A9D1324A010,SHA256=CC2457548182F9BC1D71DCA000BABE3724CA9F2E550BCF02C91DB10C8CB5335E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:38.722{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC454E402E9E179C1766C44F6DCF6B69,SHA256=F13293E089DBC18DB64847844B2130409EBC25120EB6EDA2E969BCC87F258BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:38.836{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=137F34F96CA7180194F1ED512E8F78F8,SHA256=B2AC2F03B68FFAEB45E77184202F35C5E75B6FAF0F8CA2035B96E200502F96BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:38.476{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D555417B3F5E3863340F12FA7090572D,SHA256=FE117359821450223538ACD6A74AD7375F760D18D3B020179B143140CC875127,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:37.049{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59023-false10.0.1.12-8000- 23542300x800000000000000041648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:39.722{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2CBE6B85C72B8748F497D07132709B,SHA256=AB55606FEBF535C48D5E4D7FAAB762637656777FA848F7DAF5FAF88724042A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:39.507{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6D8F6BCD43BD2AABD96BA1D11E2801,SHA256=3D8180234C15C5F65001A8F00E0FD8AE26EC3DA98D6A83878B41F1591A15C53D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:36.933{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com61046-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:40.738{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1163B3B318DA20E25DFC17C55DBE047,SHA256=8995DC70B71187437A788098D5F55E02F7CD29BA1A9ED423E8B12AD931792AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:40.523{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B590F2241D091CEF177DA075683F8B,SHA256=0E38610A28D1ACE441DA95D13680E438977720EE484E4F00073C5DD3B2270F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:41.754{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC0987EEECF244672E3A159CA7490A9,SHA256=B4B93D7678FD10EE54FE271D4A8D8C70BAD0B6F345071189E48E11C3C8D1F966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:41.539{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC94AA9D91E44F88251FAEF749FB9779,SHA256=D74A292E612920E36E9E1DEDA9A453534B4BE88C2055AC57DFED0F6F78C9320E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:39.350{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com61234-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:38.760{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:41.242{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD464EFAE5DE98CF182F63B35703BACF,SHA256=0351239AA5F2EEC195838950D1FD40285D31D78FD04076A422F3603DE16DA685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:42.754{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C9E0C78350F4372599E16E79646D81,SHA256=0CBD7ED68D2E5A0911980B1EC199593F464297BE2B079270AD059CDF0BCB6BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:42.554{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAFA7BD7608BA0D9763596D8C70DF9A,SHA256=798F1BFE01DC4310615C389347B586D8374CF221C9DD9EC2D89E652401742CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:43.769{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5A7D9564D2B49E49B58467E814F5A4,SHA256=843DEEB8E00991E0A13217A44B8BB3B8BFE69F08A271AD09CA163D435EF3E357,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:41.678{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com61415-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:43.570{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D144B28A8061EE01D7838FD45BD0F71D,SHA256=0FD8455F19E0F8F370F8936F4D3D659E18659A99DF5E00B89B60066E4DDB49A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:43.570{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8BA289173381BA8A1733C819BBE3E3,SHA256=6E5E1816EFF9569AF179EF53F131E03C8DAD96BC3BD1DAED560BFCF906C5A270,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:42.986{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59024-false10.0.1.12-8000- 23542300x800000000000000041653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:44.770{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635CAB1D92E290012BFABA9F67D81799,SHA256=02B3AB7B89D6AC5EA136D7E88D33D822CBBCF2867F2370BB810A594761190906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:44.586{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAB60839E3CA1E8DE46C9519CF3B747,SHA256=956517F125E89A8258BCA036537935E71C129AC95501398FE857CF728B4B7EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:45.785{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7749BAA1D253EF43533ADCF86378CE4E,SHA256=C0FF97E4EB7BB94DFED06D3DDFA0B2101738C4CF699C19F6FF8CA17365D542BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:45.695{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73F306EAA1ECAA727FF2FF7D9AC68511,SHA256=F867D1A309D282B3908717A1C6C8372F1198DDA110E7911EEA4AE5D9320D9513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:45.617{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63FBF41041998314AFEC208E87C72D6,SHA256=B80E996E775FF289FCB31126EE4FB102644F529683770F3B281C08698C5156E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:46.801{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B34F1AEE6DBB401D8B27DB90F523D5,SHA256=9A3682B55E8AE62916EB254280049371FC68222CA32FDAAD7560120F1A88A6DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:43.788{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com61588-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:46.633{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EAC30676AA9332CD98F499106E4DB9,SHA256=54CC29CDAD425B431F5B6443BBAFB393667DBEB50F4BF986B5506DC1C9E591C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:47.809{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49703300D534FAE1665F916346D5B035,SHA256=AE8C8065FCDBA42255C94A4D803C4C8581D485221E1C1138437B2E75BE176F15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:45.616{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com61724-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:44.760{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:47.658{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747ABB096720DCD89FF5945E1ECD0A28,SHA256=5E8A7343FD444D584F406120E50ABF7F2EF0CD0749076B6F7638228C742EE0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:47.533{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC1C4D90FB0B77A5A8E9D4F543C8FFDC,SHA256=A4400D0A753F6900A6BD40FF3D254DAC5EA9F508D623AF8C55B4F0C7C8976E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:48.825{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC42FE5023C6BCCF0B537E5700504EB,SHA256=5186A9D64BDE965356586FD76F1EC38D7B556E8640FFFF2386602D18ECB82253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:48.689{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADA821FE43C3B759A2EA1F3EEDAF61,SHA256=9DAA04C307BA8890FF7E8F6D95841801A68DF2B4276D1F236C2AD2BBDCD53DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:48.631{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-114MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:49.841{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23C88A2B9B64D51A145A77C48E84ED6,SHA256=16952E5739805282BFF7AFF3938E71DDD2B1B072DC1BDA000C62B8D79205CE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:49.926{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C551AB66BE991ED9D8EA5A70BAF74E46,SHA256=0E60889B7767C6C32D0C2EE7FCECED8F0098D51F0F5D7E7699CFF7AB5F42B6B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:48.015{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com61916-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:49.708{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64FA19CCEC2D71C417E79BE73927DC9,SHA256=7439EB3A4E328FDA0D66FB4F634150AD96BC21F1530ED0DC8EE6A5F83007E7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:49.643{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:50.856{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BB272B77DA24A5019B39BF9272A7F2,SHA256=E2A656DAF967EA1FA91C0B984769CA7B85744D4A4E6AFB76451B5D204FF1A1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:50.710{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32806C1F7012E4041360CF677BE9DA7C,SHA256=F82946B82F0AAC5453B3661691B459C39C8187BF4D761E5CA9AC9652BAFE0A2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:48.073{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59025-false10.0.1.12-8000- 23542300x800000000000000041662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:51.872{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881E8B691BA153B130B53C8FCA8BAE6C,SHA256=3626065DE900A3754D7B6EF6F2CFB78B7A641588CAA01E83A25EAEF87170B2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:51.851{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6DD44E0DEF2C2A105503EC13CB152609,SHA256=9190692198821499363649288EBB455D12CC3E2EA934489CF93BD681DA89FA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:51.726{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD45AB56438564C9F08C860582D10AA8,SHA256=F77E072990C8BCBA6D25E0D1C27B49DDEC7712F215728370EA3C8ABAC200E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:52.757{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA266BB3629727D09F312E8BBDFBA298,SHA256=A739055E780E27ED1091771A2A2FE49DF66DDE2894C6B4C42A052E8006089D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:52.887{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD34158786ABEFC03E849E906032EA9D,SHA256=EB83CA1D9D4E1663269DDA3236AD70870A14A4A962E3D75AEA547FCAA2DB13F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:52.241{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79239C225FCB591430BE547ECA76BFFA,SHA256=F8DAFEA6DB408BB5F9D43F8BBAF8293EF56AFAE16684546B469503E229C20F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:53.903{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BCF9FF84D9D227C03FAD5766D305E5,SHA256=5B3D9229F1A7D1CADB86FB23110BC7FAF53EAE479BC4B90BCF5E84EB697DCF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:53.804{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A885139581A59C564C1BDAC678D5C7,SHA256=08910C7487BEA9BE9FF76F96E1D92A945F0877BA4AF513E94CDE51AC8A76074E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:50.603{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:50.344{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com62097-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:54.919{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF54A47107585DC61A34D02C66A4D47C,SHA256=A3C4381E8E71EE338AE38B30E3B0E7EB22AF6C3F2E832ADDF98FFC89690233F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:54.835{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D345F141F32C06ECA8AD4E3FEDE938,SHA256=97F9DB976FA98F365FCA03A5F127F9A10F1E4FC305CC313AABFABD3078730921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:54.522{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B900302995E82D283EE6963FE61CECCA,SHA256=A74504A18D3264B9091C171314D77448F2415E0078C08EFEC0F64D9471DE99CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:55.934{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A143C287CB8114713DAE85BF48B889A,SHA256=DEF3DE339B2B496C8C78C13C0CEF6BB9CFE735A17C6EA50374D4AF7888F6CBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:55.851{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84402985250DCFDBBD6FFEF9AFAD7736,SHA256=A60B06A43F4AF84176D1A5C6AB77648DC15128BFE69FA61AFD6F4F07A9334D05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:52.580{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com62268-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:56.882{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE744607825BC750632B6835BBDE2C,SHA256=8074B3E930348FD46D45A6495CF170F3A0FB4478A16D6294FA13758B9CDDBFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:56.934{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7F71AB5F94290B4621F3C768854DCD,SHA256=D659E807703DEEFD16EC5DB7194512567D6A37A9B0CE9487E55A63077C58A1DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:54.042{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59026-false10.0.1.12-8000- 23542300x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:57.976{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEF3607EF3B776841EC73181D4C1029,SHA256=B6D4F8CDC5A0F6D47CFA781B1C4B6ECDAD3FE477305D1EC6CAAB8AFECBE86185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:57.950{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD5DD4DB0F683413771A9065E0459BA,SHA256=B0F4E936CB12173CE0ACF9843868661D4A90005F66D043B48E1C362AF39C3C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:55.273{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com62473-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:57.163{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3AC85D28044374ED57C09AF8787145B,SHA256=4E54AFFEA3E6BCCAA113FBE02C82A19B07C0B7C79E352381F3D2FB975EE616B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:58.966{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CE5F7441C85CC043BD3A45133756D3,SHA256=37652770D9C5ED4393305CE1638C126CBE292175EF456A2B44374633C0157FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:58.991{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B31B3AB2B1BDB86D4FA9DCD56C59FB4,SHA256=DA70E62EE6856ECE5D8E3BD06A773AFD40668E2F06DED245D02A157218AC9931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:59.966{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E9372619D9CD7A3C51486E3607F670,SHA256=762456576F621E810F4438508E3B497AE5A5A9AC19479EFC5DFF9F2497E11CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:59.991{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99253F1FC78AB67E0CC770CB0BD56C0,SHA256=ECC06577819972C89149ED053DA8FCD3956222B0782893A61967797552452A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:59.788{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77B09E49B7A5389F00F313E18091028,SHA256=A782A65B3423AE8D47A93196B8FE3C46139EE7CF3AC239A3B7A1529BF5428BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:56.634{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:00.981{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21351BB6C4ECE7092F4A44369887B09,SHA256=14D090AC8F5E1994088AC4D1106D668CED6B1DFD416C1FDF4C464686DB78BA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:40:57.884{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com62683-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:01.007{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BD9917D665EFFB6DCE581350DB664C,SHA256=DBF3F2C10DC72D7B386533D06A517B4087F0B406ECD2E7665A29B76E0073A52E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:40:59.104{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59027-false10.0.1.12-8000- 354300x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:00.239{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com62857-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:02.132{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=554019B1D748C9AF03BE0DB5BB8E38B5,SHA256=A1430402F2595FFB3E33EB425198B8FEF4E6AB98E303793BFF891552763DCE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:02.023{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99460D37DBC35EB76EB20FE6DFA433B1,SHA256=E13010352DDA163AB901D12D64AEE885E483A64E8683372455DD9C40F73A11CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:02.700{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=38FCD9BD8E49294B131A19A6DA8A2F01,SHA256=DF5989AB277B04AA00EACB7BE3FC5B1B20C8631CA10A379C75DD399AFBBF1146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:01.997{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4189ECCB4DBC987E47C5006B4964F06,SHA256=876D57FBB9596D8974DFB44434E90F6FEF9E0E64F79020FE0729434DD0EC8042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:03.012{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ED6F754C883FA2E2C043D32F8E09EC,SHA256=DD1EEA6BC6D8D627D3337D8EBCE3B29CD7EB0459B7316A4FDBF2AAC08CDCAD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:03.976{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DECAD008B6308B457AF3401FFAB2F97B,SHA256=D88E4CA0F05DE79CF1A4CA2509450E4EFD4E506C9206CB3514743D819302C3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:03.023{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F789E6DD1D25FBD0CC213D2FACB18D2F,SHA256=6072DFCD5CEC2EF96638A1AAB56C959398C2367545356F69F7DC6FF657389CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:04.028{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D113D64E12A37F5430B1CAACC5AFA6D,SHA256=0CEEEA2946EB21A17E63E1F234226F94DB3C95EC2C3DCC7AAE29193D7BB954CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:02.023{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com62996-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:01.650{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:04.069{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0F26D1ECD2C9341991F55BDCEBE3B0,SHA256=CAB94DF8AD5630259094EE1D5DB1385A142BC8C8B22838EB4B72904C80C2425D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:05.059{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1423C09DEF128B482283A1E0880CB7C,SHA256=C8F35CACA474A24D7E27BEF9F4D83C151FEF516161C2E248D21024F7E3F4B953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:05.101{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE200FCD5DD3F86E6B1B4BF57B57A4E,SHA256=7DDF81BA3D61885BD2D878DFF86154F0DD3FD4EC9462A0130A00D62A2661F05F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:04.364{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com63180-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:06.257{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5F1C9F5966EED16324F27C9877E0282,SHA256=9C445B6353436F2F4B8921CA54F89A0668758A71F33634092D6CD54C2FCFCA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:06.132{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2CC64534397C93E8F1D479537AF8D2,SHA256=481165EDBD911AF883197D562CB66B69667C7048CA9E45C030FA2711900D5906,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:05.089{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59028-false10.0.1.12-8000- 10341000x800000000000000041692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7972-616D-1B09-000000000402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7972-616D-1B09-000000000402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.340{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7972-616D-1B09-000000000402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.341{8D4DD44E-7972-616D-1B09-000000000402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:06.184{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EA3923B7ABA3FB1766253B0BA2CD20,SHA256=52E5FAC64F8E795BE2D4A8FEA1E90361A0A81B4C44DECABE52E3D5FDA8F29C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.775{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.712{8D4DD44E-7973-616D-1D09-000000000402}1964512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7973-616D-1D09-000000000402}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7973-616D-1D09-000000000402}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.509{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7973-616D-1D09-000000000402}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.510{8D4DD44E-7973-616D-1D09-000000000402}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.431{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7B963DDC9F4A98878B02C6C488E7360,SHA256=F23127C266C1EC308C25836728B070C1EFDE749EAA14D2CAF7FA7B3D4E6E1AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.431{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE89EADC41DF2638B15C29C58D12E17A,SHA256=4D42D59B288EBB525DCE05F6C136B1246B0EC922D5E9A527D9B6119A61F5CD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.275{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D491C921717F3EF14373B6413D2637,SHA256=58F892A298E9F478502142DB67A5D9283E1DDDF93A5FA8075FAE400617964BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:07.172{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559085D79C97F2F00DF5E9B040CA0DE8,SHA256=876828DD627F12363D1CC4F503C00CE4479F14B8608EA855F0272390D833C079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7973-616D-1C09-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7973-616D-1C09-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7973-616D-1C09-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.009{8D4DD44E-7973-616D-1C09-000000000402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.665{8D4DD44E-7974-616D-1E09-000000000402}42964892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.556{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7B963DDC9F4A98878B02C6C488E7360,SHA256=F23127C266C1EC308C25836728B070C1EFDE749EAA14D2CAF7FA7B3D4E6E1AE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7974-616D-1E09-000000000402}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7974-616D-1E09-000000000402}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.493{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7974-616D-1E09-000000000402}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.494{8D4DD44E-7974-616D-1E09-000000000402}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:08.431{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3B1DBA6802121E14A4350390AE4E72,SHA256=6D91AF466CD93A780FE5C1E45673D7C2CDEB1C1E10E551AD981B47D6C96DAACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:08.906{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=0C79A0BC7DD5E5813495446D6231C188,SHA256=086836619A019167957BEC23B6AFCF558395DF1AA21E8AA5FCEEA13ED738F1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:08.906{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=B57951F64E627F60EF244F33319EE755,SHA256=CA6E843723B094A2EF6C984E032847CA5CA2991B0615F0E7BF4018E001158358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:08.906{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=D266805817E4DAD912452C6A3FFFA5D0,SHA256=1921C716EB08767D8922BFEE2ED4643513CB7F2EAED1A54CAC6369A969F8BD0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:06.089{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com63320-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:08.406{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:08.187{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB208BC48658A49FE6CBD2A03EC5711,SHA256=067C26A53DFCFF70BD50279EBFF220E998452EC76FF5874F23CB1EED7181470B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:08.000{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5798F9D2BD9ADCE67615BD00FE3070E3,SHA256=94A5E1389A72244D3B4D7DA87EE4151E23A0427A1222E6E0B770B9B6162144E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7975-616D-2009-000000000402}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7975-616D-2009-000000000402}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.946{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7975-616D-2009-000000000402}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.948{8D4DD44E-7975-616D-2009-000000000402}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.681{8D4DD44E-7975-616D-1F09-000000000402}50084848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000041755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:07.632{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59029-false10.0.1.12-8089- 23542300x800000000000000041754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE503059E86ACBE3F41AB66FB6B2A43,SHA256=214424871EDF8DE2A28D8A61BE88B5629DD495F7DC533679DC8033279B91A720,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7975-616D-1F09-000000000402}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7975-616D-1F09-000000000402}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.446{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7975-616D-1F09-000000000402}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:09.447{8D4DD44E-7975-616D-1F09-000000000402}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:07.939{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000029492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:07.893{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com63466-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:06.723{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:09.187{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FB9698251A15A8063F1A7833819F52,SHA256=F05D3976F0E522B3AEE5A35A2B6D8B33B6FB56E12735C3530BA00A154975935F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:10.915{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5480873BB91460A038AFEC9A6B0B7455,SHA256=3E1B4178A04B31D1DB8B6D664D12759EA69C19BD8B899CD6DFCB89EFA66A7C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:10.915{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D51A6DB5D2C2067874476540919B8B7D,SHA256=8EE3F21D6FF201B749EA2617F6EEF0289606457AD59034B79E16FD2F25D05096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:10.218{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DDCB0EDE220D39B1B54F386F5194BC,SHA256=A665D5D7290CA8896AA6DC43612D8D8AC77BCC60F29056A5558A22BC850B353C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:10.212{8D4DD44E-7975-616D-2009-000000000402}38444464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:10.171{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2BA2BD1AE19CA6BED97C60F0A641D9,SHA256=036F071885C13F28174AF7216CEF6F2317A197C128CA470FDF778DE84442A1AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7977-616D-2109-000000000402}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7977-616D-2109-000000000402}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.962{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7977-616D-2109-000000000402}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.963{8D4DD44E-7977-616D-2109-000000000402}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.931{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0726371BD53590A241C31EF701758C,SHA256=544BB20E1F68F5F2EFBDF3BDF7440FE5CD07ABE927F8BEDBAA92D28247A20ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:11.234{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B07DF658CE7F94E226AB2C16FED658E,SHA256=FC0461F871FD8211FB02645EF2B33B2AE46F7599F570B5A27596E9A5C125C306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:12.962{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECAA33468C26A8E2A341FE2820598B6,SHA256=A94CB17F450D166A7EA1DC93406B68AEA036BA862CBD462EBBC5819E6EE2B610,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:10.226{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com63638-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:12.296{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2117D9DE08995EB749974A75800ABDE1,SHA256=F7CA075FC62913A0BDA1892995AE67FF3001B9C9D94F741995974271D91C0E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:12.140{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99DB2B1EA66C95FED88C616FFF4B416F,SHA256=38FD4B328580857D860E6D3D04A8DE8925AD60E7544BEDFB25398708CAB2DA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:13.312{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64DF56EF9728F5C6A16454D3A429F2D,SHA256=7E14F7741829ADCFDFBC004285D50805F16F8BB7780E9F452A9366F5525BEC14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:11.054{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59030-false10.0.1.12-8000- 23542300x800000000000000041788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:13.009{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E16F5F5028063879381304A43182DCC7,SHA256=406661825266560AFEAB9FF1074FF665B5D013FDDDD9F4320B0EBF445DBE8FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:12.720{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:12.632{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com63830-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:14.531{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A60E395EC0309EFFA2E9DD9E9D778F0F,SHA256=5CC702575558B0BC28A387F4B1FF1AB7256C962F63D44DFD34D0A6F5E5B3F51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:14.359{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E41ABCC2FCB9C587D4250252C81F0B3,SHA256=2200D6991E3F03C3C99731E180F5AFE5569313A85C28806FA528376A149C378A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:14.150{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D9CF20970F5822473FD45130AA4502,SHA256=7AD612420717352BD95335BBB1FAD1BD95D1E283450CCE9B60B972B04CDA6E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:15.165{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CA53F43EE6BF4D2DE4C0FE97EE82A3,SHA256=D8E568C6A06060B3BAE5247289DB54C2EA266FA9B5EAE8906A813402FBD5D9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:15.375{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E4AE1EB5C3125CB348C420EE191C34,SHA256=17AE7C52E296678940D8317C1EAB3AAEFFF6CBE4D09C32F932A48A1FC82D2D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:16.259{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D83315EDA433A519681AB63D708827D,SHA256=5B2E8C206F80D6D83CAEC6CFBFCEFF3306D35642D23816CB870D245134579B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:16.421{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D258D4F1ABFA1F195E200C6E09552635,SHA256=79C486A35A7DC0DF245735C56B6C6FC32930A8B813D987B8029CECCF5A03EA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:16.296{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153819DB5C1F83A0EB2BEA5262550B73,SHA256=B803DD1BBAE65311B0ADB9EFD60354F8873C5035AFE62232800DDB5EF6B29CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:17.337{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A14B71FA9C67A82658AB49FD9548832,SHA256=0F7CC1E0942B5A752C194721E71E9AFFDDD39EC88FC4692626FBE1E8B31C314A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:17.422{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC6CE8B5EF3A1C504F2A0651A1726F5,SHA256=3F81211688E89F05B8E4DF49EB9A857DE2A7E301A31D42959C5EB4A6B44E1BBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:14.396{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com63965-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:18.556{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F9DAFC86AAB6A1B4F8CC61A5B96836,SHA256=9296B67F67B9F58B221C120E8FED3AC314FD605E5A056BD89B8959E90E7FF877,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:16.551{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com64138-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:18.500{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFC57BB13F9EC3B9D3E2FF6517C3B58,SHA256=0546C28329AD143727482A8899B225538DD73C5FD2A39EC92ACD21CCB235C942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:18.437{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B4EE9305B931E9733915BD122E606A,SHA256=41CAD6643E173ED25E7E028EAFC5F2233881277524727AEFFDBC2D32FD7AC6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:19.515{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8AFA5A863ED2C7121419B54ECA0DF4,SHA256=B75858AC13304778ABB085A728EC0BEB6C7EF1D7481698DA6745C22E227107CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:19.587{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAB0905A86DE31A67899265A1599DBD,SHA256=0D74B23946CCADE6AC78E3044A97D9ACEE5B0EB4F88470B7130DD3AD94056C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:17.038{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59031-false10.0.1.12-8000- 23542300x800000000000000041797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:20.587{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89E4B45F0F98D1E9DB6A2C212AC1C4E,SHA256=29ACF85B77A524BD02048731CA9F1720DF36552E43194C9BBAA4AE0C81646FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:20.968{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BE4A59EC287BD3E607B920A2F5D8215,SHA256=63FC1A553779610C90DC6EB167BA00D133DBC43EA63F4A4599E8117E0B3960F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:19.065{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com64330-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:18.688{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:20.531{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CA038DF22856A11A58A1DB6C5A3E63,SHA256=2BDCD4CC13DED7195DC7D4AB8BE4B7A0B6B2C63BE6BF9B12CCBF31591327C211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:21.603{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C0AE1EB7F0A18CCC118EFBF6590D44,SHA256=6F1208988828534CC8A7464970C03B940EB8AB9145F88C723AF77C2CDA77B8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:21.546{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479D68ABEAAC11139C46CB0AF336FC1F,SHA256=C9889763C76878E1E29B4D5A5CF26BFF61B3BCE3B3BA58C85E569212490199FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:22.618{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C38FDC81FE70FDF3746EB8929FCC32F,SHA256=0C964326C53FB760741ECE2996734692BA17B54DACC3893E2356A2D75050832C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:22.750{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2486FA6CCF63630102B66EFE026664CB,SHA256=1B593BA8FD4D9A20C0E35EFA808E0985C290D6ADA8B347330F1E0D72ACAE4A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:22.562{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72458596161B45DF6A3A76D15F90D9C8,SHA256=670AF86B6F831CD88930F650C00F8B31D6EA555F3A82746B636AC6B3C12BA988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:23.578{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF34FADD02068283A45DC036CDAA5A9,SHA256=06A3477B2AEDFF809E1CEE228B6674094C78C3E6C7F36EE0E080357D50816B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:23.649{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05973E80379633D3E76ED62DFD7F32EE,SHA256=045169DA2B142E003FA727C83B14AB1B34652CDD2928584B374DF1748DF55ABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:20.850{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com64475-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:24.937{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85F03DB5C196C0CFEE04949CA184078,SHA256=D2A47A611D74B6D7ED055C866431F226251FE545EDFB83041EA80D78F0B92D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:24.640{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F268007FB9CCE3EA1304D7740D0853F,SHA256=67096EDB2C5D5D03BC165C3C590AEF7A64060D163D4EAE84AD2800C84B7533B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:24.696{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CB723523BA2E7E82688BD783A0B279,SHA256=66CBFE9FB8CE3042312750E4D54D161899AB9E181D24CC70F0D386CA78B5B7B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:22.069{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59032-false10.0.1.12-8000- 23542300x800000000000000041803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:25.743{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342C434089B8ADEB9A628E325E14C75B,SHA256=DC9CF56CF985311B213BA5E802D6EFA814DACEC42E8AE62E5FD9189A4CBA6F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:25.671{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6384D0E865BB41F631B9F02C6C98C869,SHA256=B2603D7612CF61730CA6CBFF8788CACB11AB1E5DB66EBC26E88081DB86C2D599,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:22.993{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com64652-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:26.790{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E954EC33D879D91271EDEAA1468CAA79,SHA256=2449FDE3C68308B3E675DDE7DBFD55FF418C68EEE3C6502FF4717192C6FADA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:26.843{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=212D55F73EE0A847CC6737AF7EACD4AC,SHA256=B6F5BD4F1943948A0E621E083DBCD8DC9C1E992AADEA5E1827838F40FDCD89CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:26.703{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698412D5D532F71C47367AE40E0C3150,SHA256=2A7046EA410FDBC678D573B3C5A5F195E8FDC68599FFE2D7FE35AD09E0D8880C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:23.782{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000041805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:27.936{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFF5C3A0FBF7FFE9DFE4FC91F8CA897,SHA256=A89B6805C87A0C8CE1122D9734D0EF033286C56FF15B8BABA9917513772DD6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:27.706{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BFE9DB47AE581DA0CDB52030530BDC,SHA256=A7E2AA90004E5974A02716120FB7D547B48A1214DC4A66DB8D7934AEEC714F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:24.956{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com64794-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000041807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:28.947{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83C1103A58E7E0DA1E8E5963BEB6ABB,SHA256=8E4B9950FF5A58673D22A108D8434C652EF6346D9F9BD8F9969E5BAC37886301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:28.721{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1EAF6703030CEB74F8A09A8D8136B3,SHA256=857A4FEB2EA6DD931FAD517B6DC3977A814C1D487DC8041F520EB93BFE23AA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:28.427{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-123MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:29.980{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FBE31E9B4D6E8F126AFAAFAFC9A346,SHA256=2F445DFA0AB76DFA29762D1AB336E6CC9E55A8A43A36837747105326F2A86536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:29.737{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0060F2213EFD1320FDDD02FC883A66,SHA256=97737897EC2276AB891ADD382A5B7F3FC6EC02F2F5820C3E9EEBFAD7A0AD29C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:29.433{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:29.112{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9229C7D713A3290645EC4DCA1D628CCC,SHA256=96403415E27CEAA5B667501166B28607254EE9917FE1E0387FBBCCEDB0ECE152,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:27.180{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com64952-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:30.753{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD40DC923EC7CDFB808C47D2D7405FE,SHA256=8A860074E3B1CBC43F8B97C9C2ED95DF205775B71D4464060328A6A6F8765434,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:27.965{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59033-false10.0.1.12-8000- 10341000x800000000000000029565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-798B-616D-E206-000000000502}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-798B-616D-E206-000000000502}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.971{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-798B-616D-E206-000000000502}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.972{6F8252D3-798B-616D-E206-000000000502}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.768{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF309C20B0BE71A5E8D7CE8A41C02E8,SHA256=5B4B307D38A4D24D67E4C2F9AA10B144ED71686B6F83DA33286701D59C8F6C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:31.011{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4650540B23C6FFAA540BD608C795F5,SHA256=14F654D919F120463FDB280ADB1705B6FFD5FE51B02F6D7DEAFD4B55270537C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-798B-616D-E106-000000000502}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-798B-616D-E106-000000000502}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.471{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-798B-616D-E106-000000000502}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.472{6F8252D3-798B-616D-E106-000000000502}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.253{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A638452604D8F93ABCF01B1490864A,SHA256=C0C3460F0B044EE42857680CF661EB6851A47A69BAF2119F5C19181D3F5FBD90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:29.357{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com65134-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.815{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528ED5E2E2605BF251F7EB618F068E8B,SHA256=814F0A9B8C85EF87D7CE2D9A92CB81D756EF8D017D709028066F41CCD2613C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:32.246{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ACA5CE05FBB4143A4614873021C1FD,SHA256=B12036D397E4C5CB37C315B0B75FC471C7613F49ABC4A53A2327E916A2874912,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.659{6F8252D3-798C-616D-E306-000000000502}39043412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-798C-616D-E306-000000000502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F67785739E7C9B6EA31C0CED4AA36C9,SHA256=A2EAD1715C14696AFFC38AB2D9AA85C1350FB0DDB231272AD380F4A1264BE1F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-798C-616D-E306-000000000502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.487{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-798C-616D-E306-000000000502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:32.488{6F8252D3-798C-616D-E306-000000000502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:29.722{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.909{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5AFE7757A662CE1B5EFE6E206ACD17,SHA256=5B735BA9AF4034D8CBA6F7B0E1F4586D740EC0A3BC0C32C38E053F2E5E163168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:33.371{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C4F654CB5D269A9056EA948666F3DC,SHA256=7D51E75E32C0337D3932FB80BF72A84C6F59BE00FE2A1ED09512E57DA4D4E0D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.690{6F8252D3-798D-616D-E406-000000000502}3388216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-798D-616D-E406-000000000502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-798D-616D-E406-000000000502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-798D-616D-E406-000000000502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.534{6F8252D3-798D-616D-E406-000000000502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.518{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E50046E9CCF7653C729D1472C367E631,SHA256=3FA21B7C017C15122C229B580A1CB1B95E0CCEE9D50D174ED7A941F8929F6DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:33.121{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEB9A8D8825A382B6811D5437C97BF4,SHA256=54C19D14225CF2573B32F03399C45DE4E5318DCA8C35D500BA3C269189E41D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:33.121{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=510F98F7F37552E6907219B314EE2AE1,SHA256=9B597C21641FFA93F0E4E347B175BE2BB257072754B4601BE0380E8C308164D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.924{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBB45D1131AAD27EF6327865B84AB7E,SHA256=216979C64B02A0A68C73FA01CD60398D353142DA4E043EBF8FEC75BFF0295A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:34.386{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A5BD8871E2322216E51197DB5ED275,SHA256=69167A998BACB0CE6D2A4B164075D4B56BBE26B6171C121EB3F3A05914AA4E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-798E-616D-E506-000000000502}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-798E-616D-E506-000000000502}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-798E-616D-E506-000000000502}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.753{6F8252D3-798E-616D-E506-000000000502}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:34.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=517C799E05488247BB47BBFD53976237,SHA256=4B007BF78AC90A31F2C40E20BFF2DC78F6C0A983CF53CFC4A31492814E89B7FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:31.927{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com65337-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000041817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:31.978{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59034-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000041816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:31.978{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59034-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000029631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.971{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442BE1ADC8E071DAA803E044F3B440F3,SHA256=492CA6DEA8BD1AB9E46B28808A8345BADF36603480CDA756A0882FFD6B8AE4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:35.402{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CBBC862EE434907B1CC060B526B7E8,SHA256=9470A36D8E690E259580CC2F8EFDD6B8F266DE1FC259C9835718987C0E5F49D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:33.056{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59035-false10.0.1.12-8000- 23542300x800000000000000029630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.690{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C95FD338C0D13AE8349053FDB2497116,SHA256=AB1C72FA99ACC80099800043D811663CCE5EDDD0EDEA6457A0B5A7419E7025F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.596{6F8252D3-798F-616D-E606-000000000502}996856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-798F-616D-E606-000000000502}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-798F-616D-E606-000000000502}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.424{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-798F-616D-E606-000000000502}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.425{6F8252D3-798F-616D-E606-000000000502}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:33.777{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com65484-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.987{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A24CC84337267A834A1FBDA0C947655,SHA256=8E00FC276C247FD5CDC88C5CB53711F850A90625B4CD3103D0516F4C5BB3E5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:36.417{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410DF56827591426C456BBBD015030B0,SHA256=6F7910A6F194E87D3302911C77387A1F38F4AF6B0404C29357FA3879110887A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.289{6F8252D3-7990-616D-E706-000000000502}992632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7990-616D-E706-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7990-616D-E706-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.081{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7990-616D-E706-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:36.082{6F8252D3-7990-616D-E706-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:37.605{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BA5A520A92A9CB96408EC218B13B4C,SHA256=0AFC1019DE3CB171672D7AF70CF8FC3E1E4C22B89AE798B7DA1D3F213CC1CB6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.629{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com49256-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:35.629{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:37.081{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E157762E97388B95CA4A3CCA27F4BD30,SHA256=CDD4B5FB20862DA221502009A4334BDFED2E158979E34D07BC1DB52062E4A4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:38.683{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96628B100F9990A1EED0A4AA5BA85701,SHA256=DD474DA5D51FD9CEC91CDB86B51379F87E7260203D694D7088E9EA46A54430D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:38.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4787B98930EED3A1DF17DDFD270BB7B6,SHA256=68B3ABF1B619FDE14A7C6531E2EAA03D83105FF3BF9F043475E3E16BDD28B735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:39.699{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8633E3864CD960E346E79C6465E04DB6,SHA256=84E984367C2B6BD9731546D6B2E35D85C880032EF229FE5D2A7FE179D27D2451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:39.972{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3D74DED7D0A34EF2BD20D9BE888A22,SHA256=270B210C0E4F24552796C65F56708498F32FD2B800A4FE1856F69E3501253BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:39.049{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809CEA944CC3201565528B84DB5EE48D,SHA256=6A3FB4B554DC09B14B581EFB8F83076B34DF7E9AF72C889B1C235C29C0064210,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:38.118{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59036-false10.0.1.12-8000- 23542300x800000000000000041826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:40.730{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CF7B5A98716780BA752DF10660E75C,SHA256=9B4C2CDD2C186F1DD2A8714115C387EA2B97F025195E0B2FBF7311589B1411FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:38.023{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com49457-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:40.065{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2D60962CE9ACB66AC3B3BC23420DC9,SHA256=16347DF2C9F575981D43FADC00F6638F4D7D2C36BF13DD1811001347922FFF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:41.761{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD890F4DC80878188447CB06530378BC,SHA256=A4455502AE8F050BB90A8449E0CF971C79587126A0DA4EB265AAEAD84160652C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:41.096{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A12516D2975BEFBD536088B2CE54C39,SHA256=48EF6D438149D0463169867168593A05A38DCE09203FDAAA10243DB9F449DE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:42.761{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1862C043843173F113152512A56125A0,SHA256=4727D7A879A7E6B414C2B3092B8E04F3E18178E32E0896298EB2EE8F9574C5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:42.721{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76AEC3AC94DDF4EBE6DB929562E36016,SHA256=71F18911BA8C7B23CAE5968179BE18EDDCE170099DBBE2F98723B1D0351EAFB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:40.785{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:40.771{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com49649-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:42.112{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378FB8C92376E63906384E1C73E43A3A,SHA256=8B85454E70F9E257F1CD32A02BACA15B7D1A19875C124A551B0700A8AAE63B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:43.777{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485ECDC99B16ED6A31D500DA63DD38FD,SHA256=BBC87DEA7DA7FF00D3514604BFD8C82F3D126F406BFEF4E64A9A8C32891793D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:43.128{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEBDCF119CEFBC724A5AC031E7E39AA,SHA256=1A8149637A6466973DB670F336A5C6A456B59DD06ED995D140DBCB0C709CA2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:44.808{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4AF52E28E9C6B0427B0CA5B09E3454,SHA256=03B4DBF5723C1294A7D15E416A86283FBA8C6EB0DECBBE36524F7E59A7547B8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:42.671{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com49786-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:44.596{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4BA50AB79E2A8E721F6F442BB9D838E,SHA256=7405452A62F329A2EC13E803EE710F5917C7BE10392690A2AFBF855BDA8CEFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:44.175{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE75DBC9169C77A84EE8BF7E9FC1211,SHA256=D276FDE6DE07C273B11E5CBD80EF2C48B77A46A80B16246990E159CB53E94526,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:43.134{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59037-false10.0.1.12-8000- 23542300x800000000000000041832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:45.839{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5817FC6B51AF6FA2CE9192BC001C47DD,SHA256=1C2AECE99466DFF843105473A90BB77BD0BF4F49BA58286FF271105F462D3A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:45.206{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FE8494488D51E2F1E6E58587CB51AA,SHA256=4E422E01B81BC9E6BE344E852FD3E5DD42DD29C7224DD12E8455B41247C42669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:46.871{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F394A38DE08496F686F5BB2E1D2596,SHA256=C170E69815694084B48817031FB8DC332DE4D0F31393FB97DBF44AD37717676A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:44.546{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com49938-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:46.487{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4C2ADB0C8DB1A6D62F9630330DAB802,SHA256=F9E6DF1F531D7B9E1D47613490BFDE6F24B320E7840C7E0B5845C5A621293092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:46.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19418C9180C4DCD394F29EDE956B7497,SHA256=C6B725B5393652F97575F9439BCD7D057E935395B3234E884314A023A7A18A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:47.903{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F41DA122F04C7D11C5059D4B9BCF98D,SHA256=D9CF7A6AB9FCACA6BB059EB0128FA68DA7423179F70BC9B019D0A5A91C7AE912,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:46.057{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse18.169.157.221ec2-18-169-157-221.eu-west-2.compute.amazonaws.com21345-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x800000000000000029668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:47.237{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67ACA450C1E595EA6B87C0D0C81F5F3,SHA256=B35792E4906CEBCD0AFED2652F32955FA54BC245F61CBBA1B60EEBAD97247F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:48.935{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB287D53FDE8396E60BAC3667FA1067,SHA256=425A4D8925B6775099C82A58D5E6CECDE1EACAC4690EA8DDD707C74698034352,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:46.644{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:46.349{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com50073-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:48.268{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EFD22BB0AAD06A45F28E7128A27C1B,SHA256=411E4353EC2F25934402FD62A20805804E0FF86569C0D8EA10C564829A1B0819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:48.237{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=541A25264BBB2E20B23DD0082E92F5D6,SHA256=0878E37A457C792633D1F08B9C4E3587B708BBDEEA581CA8FF4848DA5FD0ACFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:49.966{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00A6BC6CEB36C568EE5483DC222B6E5,SHA256=EA6934A7DF0C037FA85DF94D2A647476C0945881FEC6FEDF47C1BD21FA5D4D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:49.284{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17681C95C2EABED42282EE69D983D792,SHA256=8E5D7BA3FF2696EA33033F8D178E2FB9AB2724354B985FF3BA85D75B54B46B94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:49.903{8D4DD44E-5BA9-616D-1400-000000000402}10684888C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000029677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:48.832{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com50273-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:50.735{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B38BE4A20A052C206926662E1A32EB3A,SHA256=7C9F926C25564C1A1084E123922C47236E2AAAD49CBD97C36BACAE906EC2702B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:50.297{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5395FAB53F9D7F212A2B425B6CC66B6,SHA256=6AD33EEBCD94CA4FA746222F661CEF6E26470093737A8907B31EBC2ED3381375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:50.165{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-115MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:51.861{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8D7C7A446E469857F85A92EB5E57ADA5,SHA256=B103ECEF27C273D6AB3DDD81B5725A3686307165402791300810A9F30813FA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:51.327{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8FFAFE8981B953D3ACEB493A8B6478,SHA256=1B634409F334C2B98FC4CA7A0B25D165294EC3CF68431E2D8867B61EF5300F61,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000041897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.794{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000041896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.794{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000041895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.794{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000041894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.794{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000041893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.794{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x800000000000000041892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.794{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000041891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:41:51.794{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 13241300x800000000000000041890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.778{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000041889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.778{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000041888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.778{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x800000000000000041887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.778{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000041886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.778{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x800000000000000041885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:51.778{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x800000000000000041884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:41:51.778{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 23542300x800000000000000041883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.622{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9BC301FE581BB13E5DB907A48F092E,SHA256=7F59AC7D4990FC3B58A0B41D1CD20A492E31F72ACD4DA6F777D88A26C16D6F5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.528{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.528{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.528{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2309-000000000402}3768C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000041869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000041868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000041867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-799F-616D-2209-000000000402}49402904C:\Windows\System32\smss.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000041866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.503{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{8D4DD44E-799F-616D-2209-000000000402}4940C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b8 0000007c 10341000x800000000000000041865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA4-616D-0200-000000000402}3204064C:\Windows\System32\smss.exe{8D4DD44E-799F-616D-2309-000000000402}3768C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2309-000000000402}3768C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-799F-616D-2209-000000000402}49402904C:\Windows\System32\smss.exe{8D4DD44E-799F-616D-2309-000000000402}3768C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000041853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.482{8D4DD44E-799F-616D-2309-000000000402}3768C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{8D4DD44E-799F-616D-2209-000000000402}4940C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b8 0000007c 10341000x800000000000000041852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA4-616D-0200-000000000402}3204064C:\Windows\System32\smss.exe{8D4DD44E-799F-616D-2209-000000000402}4940C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.466{8D4DD44E-5BA4-616D-0200-000000000402}320960C:\Windows\System32\smss.exe{8D4DD44E-799F-616D-2209-000000000402}4940C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000041841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:51.471{8D4DD44E-799F-616D-2209-000000000402}4940C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000b8 0000007c C:\Windows\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{8D4DD44E-5BA4-616D-0200-000000000402}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 354300x800000000000000041840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:49.104{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59038-false10.0.1.12-8000- 23542300x800000000000000041839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:50.997{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90130DF168DF50C2E764E658CCB4711C,SHA256=4659F3A0CEE39680999B6EB30B0E05478FAE807338FE31C1BF4A0D2C0AD29AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:51.173{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:50.522{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com50399-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:52.424{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D130FE1C6C62B5FBA7BFB65EFD4F2D,SHA256=BBC8D8DCF84B3B7794195E101DBAC082DD9CE4361E30172DF6953947AEB61415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:52.346{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A753718080EF640292502101496AC4,SHA256=D3FD5476C4101B26793006B9C00A6BC844F93882597A948623EAA74759063F1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.747{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.669{8D4DD44E-79A0-616D-2509-000000000402}26043652C:\Windows\system32\LogonUI.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.669{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.669{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.653{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.653{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.653{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.591{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0A587E83181F463FC744A71AAE0266BB,SHA256=B7C4973AFA5E96840B05659AD6489C8F2241F005214CCCCF4E23A43465EF2391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.591{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8C7B3BF0150F777CC244FF5BA03E7300,SHA256=98DE8C70FEA7D627A9CF0647581AE3C5BB3B6C7842DDAC1048405DDC6C93ED8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.497{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8258471A3CFB642162C9443C7DEFCBB9,SHA256=E9EB3F631EFC6F918451C4E16BF11DC150F1C18D59F0B9FBEBC03E99E3B8231A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.482{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FCACAECF7F5A6CFDC08AAEB044912D55,SHA256=8F1B830FD359226ABFD80CFC0F1481929361A92E3F2390CF019785FBA756D05D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.466{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.466{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.466{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.466{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.466{8D4DD44E-5BA9-616D-1600-000000000402}12921908C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.466{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.451{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F8256227DBA8C1A20D25A3C890C2C9,SHA256=51B54F2DDEF8D447C7DA61870AA6E9A123BE6B7B025028E1F3D3A0FE62387444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.388{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-799F-616D-2409-000000000402}4924708C:\Windows\system32\winlogon.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.384{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{8D4DD44E-79A0-616D-FFF7-500000000000}0x50f7ff2SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000041935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1c000|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.372{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1a4b6|C:\Windows\system32\lsasrv.dll+1ba5f|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.357{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.357{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.357{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.357{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.341{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC797094E890847468046AAC411F2BD,SHA256=95209CA0A72C72885DDB0DEE71F91863D3B8E00D9B2FF4D3D67366ECC1785493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.341{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEB9A8D8825A382B6811D5437C97BF4,SHA256=54C19D14225CF2573B32F03399C45DE4E5318DCA8C35D500BA3C269189E41D5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.310{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.310{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.278{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.278{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-799F-616D-2409-000000000402}49241268C:\Windows\system32\winlogon.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.273{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a6e855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000041907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.263{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.247{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.247{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.107{8D4DD44E-799F-616D-2309-000000000402}37684284C:\Windows\system32\csrss.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000041898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:52.028{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341A21A26F6AE488D78BD2C9C4F0F268,SHA256=7CB299A4F83E6E9393D8C5F96ABC360150D8E59D49EC2E92EB388B5DD83906A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:53.377{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8752E452C58179AC6C1D5D0E5BE58A0,SHA256=CDACCA592005A0529B339FA1AADE65B91C91F225CA108DEE308633BB0D424C37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA6-616D-0B00-000000000402}628660C:\Windows\system32\lsass.exe{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\efsext.dll+2d2c|C:\Windows\system32\EFSCORE.dll+18451|C:\Windows\system32\EFSCORE.dll+17c2a|C:\Windows\system32\EFSCORE.dll+17805|C:\Windows\system32\EFSCORE.dll+18bd|C:\Windows\system32\efssvc.dll+1337|C:\Windows\System32\sechost.dll+b71a|C:\Windows\System32\sechost.dll+a574|C:\Windows\system32\lsasrv.dll+544be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.990{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\System32\efsui.exe10.0.14393.0 (rs1_release.160715-1616)EFS UI ApplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationefsui.exeefsui.exe /efs /installdraC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=6DFA1BBB4D2F89DC46BACABC83B6AB95,SHA256=1106CE6AE6EDFFA752D71F5EFF9FAAB53360CFFC6B224957760FBDC0A7D4FF17,IMPHASH=B865E978ADDB9A939A91896A60E81464{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeC:\Windows\system32\lsass.exe 10341000x800000000000000042112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.919{8D4DD44E-79A0-616D-2509-000000000402}2604NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.903{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.903{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.903{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.857{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57F1DABF1E4918D7D2F6DBA0B69F4E4,SHA256=627E1E4D5A99B39CE366570098AADDCF35655CE5BFA83E502EC1137C0F212693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.794{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.794{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.794{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.747{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2709-000000000402}1340C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.732{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79A1-616D-2709-000000000402}1340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.732{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2709-000000000402}1340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.669{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1fb5a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+158ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.638{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.622{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.622{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.607{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.591{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.591{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.591{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000042051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-10-18 13:41:53.591{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\1\FriendlyNameMicrosoft Passport Container Enumeration Bus 13241300x800000000000000042050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:41:53.591{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0003\DriverVersion10.0.14393.0 23542300x800000000000000042049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.497{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B679DCC1D55C4FC4FC8D570C58C340,SHA256=34182707107D40D714704141B82140159C104B5BAAB61609575F169E0432A658,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.435{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.435{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.435{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.435{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.435{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.435{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1a4b6|C:\Windows\system32\lsasrv.dll+1ba5f|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000042042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-10-18 13:41:53.435{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\0\FriendlyNameSmart Card Device Enumeration Bus 13241300x800000000000000042041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:41:53.435{8D4DD44E-5BA4-616D-0100-000000000402}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0002\DriverVersion10.0.14393.0 10341000x800000000000000042040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.419{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.403{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.403{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA9-616D-0F00-000000000402}3082740C:\Windows\System32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6aab8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.388{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC797094E890847468046AAC411F2BD,SHA256=95209CA0A72C72885DDB0DEE71F91863D3B8E00D9B2FF4D3D67366ECC1785493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA6-616D-0B00-000000000402}6284720C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA9-616D-0F00-000000000402}3082740C:\Windows\System32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6aab8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.372{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.247{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7551EC38472B3D6340A33D5C7A2DC9,SHA256=F3D36DFD26ECE5DBFD497AC9FA6B6E2290695F3BA58EEAFED68AA5118F87D2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.247{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1190706B523DA8B7EFBEA81375693C23,SHA256=A2DC63091901AC7C0129A1C2844FD990AB842F23CBF73DCC865373D938EE6657,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:49.713{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.104.66.206ppp-93-104-66-206.dynamic.mnet-online.de53856-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 10341000x800000000000000042003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.107{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1700-000000000402}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000041999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:53.107{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 10341000x800000000000000041998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000041995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:53.091{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 18141800x800000000000000041994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:53.075{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 10341000x800000000000000041993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000041992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000041991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:53.075{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 17141700x800000000000000041990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-18 13:41:53.075{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 10341000x800000000000000041989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2500-000000000402}2776C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA9-616D-0F00-000000000402}3081880C:\Windows\System32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6a79d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.060{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2509-000000000402}2604C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:54.611{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF95017C81D1496F3C419D0C9752B398,SHA256=1133AC077AE4EE42DB95045827B7069AE95A60D9A0D989673FB8DAA1EAD70102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:54.408{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00E0F15E69DC89C009DD606107A08BE,SHA256=387F6B2FA0F76C69AE4CA5BB12DE69A9E624BDF60067F86D97D8FE73A77E41D5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000042377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.982{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x800000000000000042376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.982{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x800000000000000042375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.982{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x800000000000000042374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.982{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x800000000000000042373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1101SetValue2021-10-18 13:41:54.982{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 354300x800000000000000042372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.662{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59040-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000042371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.662{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59040-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000042370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.661{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59039-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000042369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.661{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59039-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 10341000x800000000000000042368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.888{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.888{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.888{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.888{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.888{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-3409-000000000402}5036C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.888{8D4DD44E-79A2-616D-3309-000000000402}51004740C:\Windows\system32\userinit.exe{8D4DD44E-79A2-616D-3409-000000000402}5036C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.718{8D4DD44E-79A2-616D-3409-000000000402}5036C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 734700x800000000000000042361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\System32\efsui.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000042360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.700{8D4DD44E-5BA9-616D-1600-000000000402}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.685{8D4DD44E-5BA9-616D-1600-000000000402}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=26FFB2926F32F78EAEF80D8A870A88C6,SHA256=BA4E44773C9233D16C9950097A1D1FEF3AB2E8376120959E529DC97EF1871D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.685{8D4DD44E-5BA9-616D-1600-000000000402}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00001.infMD5=DBBF697C05F302D06DD05403297DB608,SHA256=632CAD193E30E450B7753E6D16643B576DFABAA1FA60E8D29DA7665946810599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.685{8D4DD44E-5BA9-616D-1600-000000000402}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.653{8D4DD44E-5BA9-616D-1600-000000000402}12922312C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.653{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.653{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000042353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.591{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.591{8D4DD44E-799F-616D-2409-000000000402}49243648C:\Windows\system32\winlogon.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.598{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000042346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000042345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.544{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EFS\StartDWORD (0x00000003) 23542300x800000000000000042344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.497{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89BB5BC45DE69DDBE437FD8819072631,SHA256=09628A39F236B6B1BE32570A9EFF49B4B5F11FDCC7D2714BB662BA8DC6B5375D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.482{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.466{8D4DD44E-5BA9-616D-1600-000000000402}12921908C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.450{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=545CB1CDFCE287C272AFB0E5284AC1DD,SHA256=4B3C9B13CB4431BC18DC05EFFC305EB5CCBDD6C336D21EC5891A02BB82E6E365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.450{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0A587E83181F463FC744A71AAE0266BB,SHA256=B7C4973AFA5E96840B05659AD6489C8F2241F005214CCCCF4E23A43465EF2391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.310{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC386D04DA9C4AA8F88330805109B77,SHA256=C074299E1E937054BAF2399DA8AEB665D8ED8A2F694C676D34540841AADDE402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.278{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.263{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6B3BD263DDE4A931380647B63FC7A3,SHA256=7A3C762A6EE8578B1ACC23D08D268D7E750325707159A18147135E57CB4A7E2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.247{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-3209-000000000402}5024C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-79A2-616D-3009-000000000402}22444832C:\Windows\system32\conhost.exe{8D4DD44E-79A2-616D-2E09-000000000402}2576C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.232{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.216{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-3209-000000000402}5024C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.216{8D4DD44E-5BA9-616D-1600-000000000402}12921908C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-3209-000000000402}5024C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.216{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.216{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.216{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.216{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-3009-000000000402}2244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-2E09-000000000402}2576C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA9-616D-1600-000000000402}12921908C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2E09-000000000402}2576C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1700-000000000402}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA6-616D-0A00-000000000402}620360C:\Windows\system32\services.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.200{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}6202816C:\Windows\system32\services.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x800000000000000042290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x800000000000000042289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\FailureActionsBinary Data 13241300x800000000000000042288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\Security\SecurityBinary Data 13241300x800000000000000042287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\DisplayNameWindows Push Notifications User Service_5208a3 13241300x800000000000000042286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000042285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\ErrorControlDWORD (0x00000000) 13241300x800000000000000042284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\StartDWORD (0x00000003) 13241300x800000000000000042283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_5208a3\TypeDWORD (0x000000e0) 13241300x800000000000000042282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x800000000000000042281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\FailureActionsBinary Data 13241300x800000000000000042280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\Security\SecurityBinary Data 13241300x800000000000000042279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\DisplayNameUser Data Access_5208a3 13241300x800000000000000042278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000042277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\ErrorControlDWORD (0x00000000) 13241300x800000000000000042276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\StartDWORD (0x00000003) 13241300x800000000000000042275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_5208a3\TypeDWORD (0x000000e0) 13241300x800000000000000042274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x800000000000000042273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\FailureActionsBinary Data 13241300x800000000000000042272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\Security\SecurityBinary Data 13241300x800000000000000042271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\DisplayNameUser Data Storage_5208a3 13241300x800000000000000042270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000042269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\ErrorControlDWORD (0x00000000) 13241300x800000000000000042268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\StartDWORD (0x00000003) 13241300x800000000000000042267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_5208a3\TypeDWORD (0x000000e0) 13241300x800000000000000042266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x800000000000000042265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\FailureActionsBinary Data 13241300x800000000000000042264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\Security\SecurityBinary Data 13241300x800000000000000042263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\DisplayNameContact Data_5208a3 13241300x800000000000000042262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000042261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\ErrorControlDWORD (0x00000000) 13241300x800000000000000042260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\StartDWORD (0x00000003) 13241300x800000000000000042259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5208a3\TypeDWORD (0x000000e0) 13241300x800000000000000042258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x800000000000000042257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\FailureActionsBinary Data 13241300x800000000000000042256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.185{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\Security\SecurityBinary Data 13241300x800000000000000042255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\DisplayNameSync Host_5208a3 13241300x800000000000000042254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000042253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\ErrorControlDWORD (0x00000000) 13241300x800000000000000042252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\StartDWORD (0x00000002) 13241300x800000000000000042251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_5208a3\TypeDWORD (0x000000e0) 13241300x800000000000000042250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x800000000000000042249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\FailureActionsBinary Data 13241300x800000000000000042248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\Security\SecurityBinary Data 13241300x800000000000000042247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\DisplayNameCDPUserSvc_5208a3 13241300x800000000000000042246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000042245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\ErrorControlDWORD (0x00000001) 13241300x800000000000000042244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\StartDWORD (0x00000002) 13241300x800000000000000042243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_5208a3\TypeDWORD (0x000000e0) 10341000x800000000000000042242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.169{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.153{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.153{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000042235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:54.153{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 18141800x800000000000000042234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:54.138{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 23542300x800000000000000042233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-79A0-616D-2509-000000000402}2604NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA9-616D-0D00-000000000402}9043884C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.122{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:54.107{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 10341000x800000000000000042217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-79A2-616D-2B09-000000000402}4384912C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000042215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-79A2-616D-2B09-000000000402}4384912C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000042214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.107{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344CC1A7872B9AFA241E3CFE17230821,SHA256=0E9B97CC39894D5231D98CBBEE2EA5B4DFAFDCE9F4679807D4994FDC5C5860AA,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000042207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:41:54.091{8D4DD44E-5BA9-616D-0F00-000000000402}308\TSVCPIPE-4780db3a-6839-41e2-a307-96878a690e87C:\Windows\System32\svchost.exe 23542300x800000000000000042206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.075{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057CEC267C8BB9675C5CFB56A001AC80,SHA256=EC882991D69DE7AB06B37087D7327F8310CE8A007B3DD6BF03B423223F6ECC4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-799F-616D-2409-000000000402}4924C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\system32\efsui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA9-616D-1600-000000000402}12921908C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\system32\efsui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.060{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A0-616D-2609-000000000402}4548C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA9-616D-0F00-000000000402}3082740C:\Windows\System32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x800000000000000042185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.040{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x800000000000000042184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.028{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.013{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2909-000000000402}3328C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.013{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2909-000000000402}3328C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.013{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2909-000000000402}3328C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BB9-616D-2500-000000000402}27764288C:\Windows\System32\spoolsv.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b7c3|C:\Windows\System32\spoolsv.exe+1b629|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a28b|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79A1-616D-2909-000000000402}3328C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2500-000000000402}2776C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2500-000000000402}2776C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2500-000000000402}2776C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79A1-616D-2909-000000000402}3328C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79A1-616D-2909-000000000402}3328C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-79A1-616D-2909-000000000402}3328C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{8D4DD44E-5BA8-616D-0C00-000000000402}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000042143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.997{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.982{8D4DD44E-5BA8-616D-0C00-000000000402}8481700C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000042484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.943{00000000-0000-0000-0000-000000000000}4752<unknown process>-tcptruefalse10.0.1.14win-dc-185.attackrange.local59043-false10.0.1.14win-dc-185.attackrange.local389ldap 10341000x800000000000000042483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.810{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.810{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.794{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.794{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000042479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.439{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local59050-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.439{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59050-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.431{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59049-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000042476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.431{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59049-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000042475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.408{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59048-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000042474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.408{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\System32\efsui.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59048-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000042473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.406{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59047-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000042472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.406{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\System32\efsui.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59047-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 10341000x800000000000000042471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.716{8D4DD44E-79A3-616D-3809-000000000402}30044764C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.716{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000042469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.040{8D4DD44E-79A1-616D-2809-000000000402}4752win-dc-185.attackrange.local0fe80::499a:5ff5:cd3f:fbde;::ffff:10.0.1.14;C:\Windows\System32\efsui.exe 23542300x800000000000000042468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.606{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A00F121F377605F8897BA9550B6671E,SHA256=46DFF162A5B62B66F3C3FDBE58BB627159CB8528456F0669EBC8B2B9CB3DD792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.591{8D4DD44E-5BA6-616D-0A00-000000000402}6202660C:\Windows\system32\services.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.591{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.575{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1111846415AA3F6DFB697A118A980CF,SHA256=B073085DE81EA83548A870810F4E1DC6BE73C506BA4C4BE96F02ED925A8AD5A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.575{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.575{8D4DD44E-5BA6-616D-0A00-000000000402}620360C:\Windows\system32\services.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.575{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.575{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:55.439{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA814DC1FC16D36500EC4497CC8B594,SHA256=C2F89CBFF17A9AC860FABF802A5ECE02013BF0E43D118F573F5CB6CDCA52D459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.575{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.575{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}14885048C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}14885048C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}14885048C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000042453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}14885048C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000042452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.560{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000042447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.544{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000042446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.544{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.528{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.528{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000042443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA6-616D-0A00-000000000402}6202660C:\Windows\system32\services.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA6-616D-0A00-000000000402}620360C:\Windows\system32\services.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.486{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k AppReadinessC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000042434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C98C090641E3DC736AF97EB112BDBE39,SHA256=D070D3E4F62CF90ED31F663A5533D7DC5DD50FE88C57E3A331876BA473EF5209,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.482{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000042429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.137{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59046-false10.0.1.12-8000- 10341000x800000000000000042428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.450{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.435{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.435{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.372{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669EE4BAC24341882C35F300B7EF77C2,SHA256=94DF95D584AE9F55523E866B32D399BB39AB916CBC15080F3F4FC48665254FB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:52.706{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com50580-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:51.690{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 734700x800000000000000042423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.216{8D4DD44E-79A3-616D-3509-000000000402}3428C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x800000000000000042422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:55.216{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007fe) 354300x800000000000000042421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59045-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000042420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.044{8D4DD44E-79A1-616D-2809-000000000402}4752C:\Windows\System32\efsui.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59045-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000042419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.031{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59044-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000042418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.031{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59044-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000042417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.943{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local59043-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.679{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local59042-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.679{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59042-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.670{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59041-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000042413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:53.670{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59041-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000042412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.153{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86401CB894EBC17E53DCF44F694EB51,SHA256=0C3C8958BD073DD36092A13FF3A0CC044A80B354D1B7256F6B522EA98552ABF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.091{8D4DD44E-5BA9-616D-1600-000000000402}12921908C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.091{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-5BA9-616D-1600-000000000402}12921908C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.075{8D4DD44E-5BA9-616D-1600-000000000402}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.060{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000042400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT10532021-10-18 13:41:55.060{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2021-10-18 13:41:55.060 10341000x800000000000000042399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.060{8D4DD44E-5BA6-616D-0B00-000000000402}6281872C:\Windows\system32\lsass.exe{8D4DD44E-79A2-616D-3409-000000000402}5036C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.060{8D4DD44E-5BA6-616D-0B00-000000000402}6281872C:\Windows\system32\lsass.exe{8D4DD44E-79A2-616D-3409-000000000402}5036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.044{8D4DD44E-5BA9-616D-1600-000000000402}12922312C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-3409-000000000402}5036C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.044{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-3409-000000000402}5036C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.028{8D4DD44E-79A2-616D-3409-000000000402}5036ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etlMD5=184FA94EBB57B2609A3F5C014A01CC0D,SHA256=DCB008A7EA59EDDC58DF5FA0C952752415AF5C8017DE4535C9DE1683B1A386D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000042390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:55.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x800000000000000042389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000042383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:55.013{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x800000000000000042382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.013{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:54.997{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8258471A3CFB642162C9443C7DEFCBB9,SHA256=E9EB3F631EFC6F918451C4E16BF11DC150F1C18D59F0B9FBEBC03E99E3B8231A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:54.970{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com50765-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:56.846{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EAD34285A071813302F71102EB9F0C,SHA256=241B4557A7AB2581CC276C600F53CD1876F978EF5B1D6AEA3A3E6D6B151A65D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:56.471{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98EB2F71854B6F9164E8D8C066925FA,SHA256=AF422943D86334A511A4A8209F76967F18FD52C3EA478AB1BE107DB6419CEAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.981{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.981{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.981{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF59BAD4F063E9F0249080D249AAAC8,SHA256=C2A69E6DD33C5858B38AD11C1BB5440FAF0AA820D3FAE791D5FD80E898998417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3EEB0D51BAD5E2E860D1CD7357881D,SHA256=264AB50A1B58823930E0FF565EE8B9CAEED51A7EF2460A6AA8BDE293A8466899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.950{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.919{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.919{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.919{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.919{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.919{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.919{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.919{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.903{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.903{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.903{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.888{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.888{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.888{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.888{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.888{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.888{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.888{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.872{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.872{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.872{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.872{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.747{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24CD9660B6C0602B5F9780C447F8758,SHA256=705B477ECF6F19C33DF847D570A7441F5C79CCF2A3E56B3EDCDE77564E0317B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.732{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7E827825C2C8BE9A0C6AFCC5AA138,SHA256=5DF5A216F1A2610DA6B33B524906E4DC5AE69BD7B2539C45EE7E31F0DA188450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.732{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA5ABC3FA88ED46E4BEBD6F54C16A5B9,SHA256=D9A450E7FF450887D594A2D3DB8C6EA167375EF72A6D80A0000913B13179F484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.732{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=31C8484BD9C3E3C72A509B5FAFF5B14D,SHA256=1A17037F4653CEA9EF38AFE68D65C84E42874BC47F060E060BBC7AC48E419E91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.513{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.497{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.481{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.481{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.481{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.481{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.481{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.481{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.481{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000042517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.466{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\PolicyVersionDWORD (0x0000021a) 13241300x800000000000000042516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.466{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-3845273463-1331427702-1186551195-1148109977|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|M=microsoft.bioenrollment_cw5n1h2txyewy|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\|PFN=Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy| 10341000x800000000000000042515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000042514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.450{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5147F42B-54A2-4E09-8221-5B72D6328289}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 13241300x800000000000000042513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.450{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{74158164-D3B8-48F1-B0AD-089FA9BA9597}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 23542300x800000000000000042512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.419{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.341{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.341{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.341{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.341{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.341{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.341{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.325{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.231{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.231{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.231{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.231{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.231{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.231{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.231{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.216{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25b8a|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:56.216{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:57.502{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39E9F3E256C739D46A30DD457599FCF,SHA256=17F520A23ED039897309074455493ABBA7D45A8BF7D33229263B36CB271E74B4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000042991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.950{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-2|C=S-1-15-3-3|C=S-1-15-3-4|C=S-1-15-3-6|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-3215430884-1339816292-89257616-1145831019|C=S-1-15-3-3071617654-1314403908-1117750160-3581451107|C=S-1-15-3-593192589-1214558892-284007604-3553228420|C=S-1-15-3-3870101518-1154309966-1696731070-4111764952|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-2345035983-1170044712-735049875-2883010875|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2452736844-1257488215-2818397580-3305426111|C=S-1-15-3-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|M=microsoft.windows.cortana_cw5n1h2txyewy|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\|PFN=Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000042990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.950{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.935{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000042987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.919{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{51674281-8ED5-4DC6-BDA7-72F4C7A5AD10}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| 13241300x800000000000000042986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.919{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{6112E92F-432A-4E3A-840C-0C44FD92C09F}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000042985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.919{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{67E87B2E-8507-4744-B591-DF406893D3D3}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000042984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.919{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{029A926D-1D8D-46ED-9DD9-AC8F9A1F4BAE}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000042983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.919{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A56AE2F4-B3A5-48E8-9673-02AD7C427961}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000042982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.919{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{634DF280-D1F9-448C-AD24-F3432170BFEB}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000042981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.919{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1CB45D2B-E690-4B66-AFF9-19CB7F416C8C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000042980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.903{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A65B73DD-FAAA-482A-A64F-32175EF79D33}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000042979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.903{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{50BA81B0-6BAF-4A2C-A399-E35A5CDCC750}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000042978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.903{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6DB08AA2-7824-4C8D-9729-40D25215098C}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 23542300x800000000000000042977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.903{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=258530EF84336612839E59016C10431A,SHA256=FAFFF77EE91A4C1394BAD8CA8CB9C6F63736C158B281DAA364F1DB48D39AA60E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.903{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.888{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2MD5=F045C633B9340D27547D12EECC7EE0B9,SHA256=9D04CBA5F699DF1AD06BC5541F85917A856292F181493393EC89EBF2980A1B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.888{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=CD0B1FDF28910E391492F4807B474473,SHA256=EF923067C3091E773EB086A786D5E2FCA53B01EE8CE0A2EEB6704C85935CD2F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.datMD5=9C746CF42DB3B621537D8310CE3D4BE1,SHA256=52D93909D30105CE61FB14BD32AC9473BC627199AA83808B337F6D874CC46FDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420250026721327.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420249992652675.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.872{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingssynonyms.txtMD5=9239D33BCC9C55C4D97DCAE64A7E2F5B,SHA256=D147C9B76ACC226324DEF206D680C3368109018BE254FD1399C8E2ED2C3D77E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsglobals.txtMD5=D2D6B108ED635B192276F2E13160BB9F,SHA256=598A2674BE811C1256B0E18311CE5CBA2A542D0965FF4A0AC96173CE78A4C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.schemaMD5=AC68AC6BFFD26DBEA6B7DBD00A19A3DD,SHA256=D6BDEAA9BC0674AE9E8C43F2E9F68A2C7BB8575B3509685B481940FDA834E031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.csgMD5=A97FD910ECCB1049B949DF2B6D0EA605,SHA256=B84B14439AD5607B15A96B922CD63EA6C8CB1281BF3B84037C5CE90FBEB29766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.856{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appssynonyms.txtMD5=E86D86E41327A21E2448076DD6C97A81,SHA256=A3DC890A9E3D99D3336455F0CFD94ACCAAD69242D0A1C8649AC82B8E1F8BB6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.841{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.763{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C66A1537E19A3F30502C7B1701DADE,SHA256=20040E045CF201C079F3A42D36CCE13D0DEE9BBE6F1F6313BF0A13A492C717DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.747{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsglobals.txtMD5=5925E930562DA940101DE785C1CBC5B3,SHA256=B6C3C8B85CECB5743E5A62C706152F83606B5690F0926B5CC16D29CBFE3ED39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.747{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.schemaMD5=1659677C45C49A78F33551DA43494005,SHA256=5AF0FC2A0B5CCECDC04E54B3C60F28E3FF5C7D4E1809C6D7C8469F0567C090BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.csgMD5=FB7202F6D377FD89C7B261E34D680D33,SHA256=839D24F509CA8BF8737074BF42E83A88A32EE3760BD34BBA2A7CF6CF482A1C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.716{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.716{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.716{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.716{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.716{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.716{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.700{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FEEDCB9B-F3C5-495B-A8D7-84F79D27D88E}MD5=9FCDA9AF0663B95421B2DF4DF2E1B9D4,SHA256=B3003B1A6220FA0F3390E2F297DFA4209C45C3D8FB9B55ABBA2507792720A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.700{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FE283CE6-7678-4BF6-BD45-D855B6683130}MD5=3E30C6D0FC6DB0EE27A19FCF25DF566B,SHA256=EA12C2CD052FE46441BCC9C4FB81D9D52C1FEE3AEE762C09EB2FE34D19B1D2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.700{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E79AFC5E-81E0-48C0-B2B8-B0755C4E824D}MD5=8571A37EA5341C6306283678D6D7B3F7,SHA256=DA51B889B504FE15B3526AA6A87A4A9843989F4EB6D32CFB205861A223030B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.700{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E46F3460-B4C6-40F2-9BF2-B4D9A4F6ED86}MD5=DB04268CDC55A7FE26A2F145F86BF875,SHA256=CFACBA24A15CFB163790F9C67CDB2B2CC82CE006B9E32AC8687DBFC7DB69B258,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000042915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.090{8D4DD44E-79A3-616D-3509-000000000402}3428win-dc-185.attackrange.local0fe80::499a:5ff5:cd3f:fbde;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 23542300x800000000000000042914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E28967A0-A00F-44F4-BEB5-D1DC1F682F91}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E1C5F6E0-5D96-4432-9C54-B630B005F17D}MD5=A220E6F69189C7C262EA46B8EE8E6FE4,SHA256=556020DC6EFBDBF8054FAEEE15519516CBF2B11904D5AF9E04D041D7480BCA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{DE7873BF-B56F-4465-AA14-AD810677CFF1}MD5=5E62597AD6E77746796E3B8571490D14,SHA256=45FB70B917C807BEFD513465866C4D27A4E869DA31182CDCF6D314DF224EB651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D7779C65-D55A-4E6E-AB28-222AD101D61C}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-5BA9-616D-1200-000000000402}7843812C:\Windows\System32\svchost.exe{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-5BA9-616D-1200-000000000402}7843812C:\Windows\System32\svchost.exe{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-5BA9-616D-1200-000000000402}7843812C:\Windows\System32\svchost.exe{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-5BA9-616D-1200-000000000402}7843812C:\Windows\System32\svchost.exe{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{CAD3CFB0-7CDE-43F8-B95D-98E958A585B7}MD5=41ABD480C1392D97DF3ACFFE760D2804,SHA256=7BEF858DA7D8B87F8E4C7804731E91AF5618DF4838EFC2BE398F609078268479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{C5DABA0D-CF94-465F-9B6B-C598EE8CCEE8}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{BBD6B771-DF9C-48D4-99BF-77C177FAAD05}MD5=ED16924B1B7A952B1CB20D8515BEBB70,SHA256=6966D629DD24B6904DB8AA9C9F06197706E039848C15BE8FA738E4ED25F06B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B69C64CD-23EC-43CB-8DAE-EB6560EAACC3}MD5=A461B8A48DB3B6C08E072140728A43C4,SHA256=21C57136A790877DA3640B5691C0F651D503D133B2B6936F5203BEE3F30A9565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.685{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B59BA0CB-7100-4018-A4F9-D539D5F4E058}MD5=DA594A38AD299ADA683372EBA5881CAD,SHA256=F0529ED98871CFB5607C993309D0A3DDB84CE36EC2E41897CB6BD8EB683711CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B4D06CEE-9D19-4A4D-B72A-396F2B566927}MD5=5F0A30B2DC6750BA2867B7BC006BD8FB,SHA256=9051D648449406B051B8A06D3372962529004EE159132D437E89AB6AEFA8A880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-5BA6-616D-0B00-000000000402}628NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8MD5=E2B1E53F26985BC0BC2A99C7D107A1D1,SHA256=3DC463A76FC170607C07B104C3CB531362CE7D6E10C1A34E0C0F370AEAE08CE8,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000042899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B14CA865-C958-4580-9074-7E92964475FC}MD5=73252311BC2FB738EA33277A28F3596B,SHA256=7B6EA44D32065F717612C79F94114F9259C08D5465EBC007F16AEA92FD4D1CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-5BA6-616D-0B00-000000000402}628NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8MD5=40489A5F251275967BCAC92A594C210C,SHA256=5F54121BB1590A36EBFD2DCDDDF4A66300AA09CE7C9B6B70B6BA132287EBFACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B0DD03EF-8C20-43DB-BDD2-4CFAB623574E}MD5=74017CA605E121CBA7CF92459B8C5638,SHA256=A4B6642597D4E32EB8FAC89CB4450E226C3978F963BDBFE95ECCAA527F1E8EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{AD913853-B212-444B-9876-3E2C3A49A8EB}MD5=206A73951B8654BD2B70962A78C00BE1,SHA256=19DA4F01CBB9BFDD977E06AF58B95CEC1D4A027C776A178469251B5F0B9D9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A5400422-73B1-4B93-91A9-72E697208472}MD5=00B94F495BD57E421FEF46D7A1EECF44,SHA256=3C1C7F8A819B758DAD75031F99AEF06C94B418FA2FC199F82BFAE815483E11C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A4E61E50-3EF0-4DA6-8275-CD489D676DAB}MD5=2BA0F2705632CB30D7BCA6DF8D087F2D,SHA256=7E47070E9ED1DFB752DD755B918F943B0B231C0885F55DF05EE82470595E3022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B74498C44985ADA94A9229241BEBB7,SHA256=EA1C93FFEFB3AB1EE63B1DEFCD238F2C521050AF102EDCACE536A1DFE5886058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9D07DE99-52F7-454A-8CE6-31DA9AA94ED8}MD5=9456CEECAC6A1245C482C3B82593846D,SHA256=963DE82340F63CFB27DFDD15CD5643FE93D6C0AADB0B96B7923F0E23815F10CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{98C2D61D-6107-43E9-BCD8-6EB83D77ADEF}MD5=60FFAC14CA2196E3D54342C4C45F7C2B,SHA256=9979DFF1E142B348644E5C7735FCD13D8871408DCF4E0913D9FD9A3EC8436C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9485A429-81C2-4352-A24F-92682A765D4B}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8D75FAE0-23F9-47DE-A54A-C2427D45DCAC}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8AB7F553-0827-496F-B610-82D31E06AC96}MD5=A2C26EBC40D4625D952314673C6141E9,SHA256=902AC55382C57835ED2151549B7D12211436E67A63B3B0E44FB384A661228729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891D5E7A-7A57-4CBF-9089-443EE49B6103}MD5=911DEFC897CECC2D0C78E5B96D5D515B,SHA256=965BD9A6F5738140EB5A51EFBC44129112C25FC82825BA7F30113602A6E8C902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891649DE-3DE4-49E5-90AC-0987EA95353B}MD5=05F75F6404996B3E39476104E78DF209,SHA256=1E4258113A2D151783ADB9D626D38E7F67CFAB9C79FE14B27E07170081D145C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{84B49252-6DEC-40A8-90BE-86AE577E1B23}MD5=55F95E08D08A7A3768F27800D9217B04,SHA256=37F9BC821FDE92326D617E96AA6ADB2DBE7EB2666B1A88451F9410B80A774377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{829BE0F1-69E1-42FD-A3B6-359E1C3C1345}MD5=B467C6E316631A8A0420CB9F40222D93,SHA256=55336E857424336DBC05D5B2B96AEAAE4D296B1D6D5B031A5869B25143624085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.653{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{80A3BBAD-ABC2-4C9D-86E6-B04FA287F655}MD5=4174344A2D19128BADE81E2EB14BDC1D,SHA256=FC6C1C04EE333CB336B7DC428C25B995F7B85F49ADBDC88EBC7262C1307885FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.638{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{74B164BF-3E71-46AF-8ACB-AAA4A76A5378}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.638{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{735E8BE6-1731-42CA-A8F3-B53E930EDCDB}MD5=18E3CA8C6CCA69E00EC76747FAB81F0B,SHA256=08148891128E558A6C3CD3EEEE68457F3D1A10F1A2720DE0A4E27D1543A4F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.638{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{72CE2732-257D-4200-8BC3-7ABC84224683}MD5=854754F8D9E7F7D9AAF2FA7F6BE1A1EF,SHA256=E6F4EFACF3E1CAD20C8245C7B9408E2BE2C2D6FD70B781F48A4BA22F067ED731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.638{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D1CC60E-42DB-4A1B-A50C-DC1DF51BFBF1}MD5=5E74B43DD59C1AB6F5244DA6154DDEB4,SHA256=DB8971C2F98690196197BC5A5875D3233E0FBC7B512BFA60659E67D5296FE080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.638{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6A253CE4-5CE2-4926-BF13-2F00787D2097}MD5=D9E99905D3D6FB42429AAF5DE84FCADA,SHA256=B8359F6E6BC9E16731B65A9F8253C86E846E9C1F951B1351CBD649FA6E286BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.638{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{552E6613-D145-4B51-A24E-3C8B003E24A4}MD5=C359A6183B25EF8221256AFEDCE656B8,SHA256=E9122C2C02DEBBB1AFF1FBFE30465AFAA0CFBD4EAE9C10AEA58A6663DEE9EE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.638{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{526402D0-291F-4761-931C-0273D14B2CF0}MD5=0CE681BD1598F07606E87609151DC42A,SHA256=1334CF9557C973A9F6AF7280C8C165C434A24947DE6E1647B27E62CB822FF31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4FC5BD42-2CCF-4A96-AD8E-C83520ADB20F}MD5=922CD9F5F7320A813B0DAC1080EB7709,SHA256=346145F9100D8CA04CE7FC277D8775DF500D1FD1995F6CE28BBEEF685DFF04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4E171B62-A785-4231-B14E-626B192185F0}MD5=0796DDBF4C9B9D94DC5FD03E92485F28,SHA256=DBC10BA43AA770F1D3A36F7CAC2B50AE664804F28214B792E3C56266D7E8F377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-5BA9-616D-1200-000000000402}7843812C:\Windows\System32\svchost.exe{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CC3BE49-DBA3-470D-94C8-20CE40F2BCAA}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CA8F3BE-4DEC-4028-BAEF-6491FC4270C3}MD5=68F587A5B93845BD54716A6C6C932688,SHA256=3A319B5FA81F068C11959C024D08DADF279A00CA5C6B8C3F574C4DB64822AD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4975E0B9-496B-4FF0-BC0E-1E06B22BDD96}MD5=C8B4FC8B8745BDE84005D690D3A026B2,SHA256=8779E3A2B6294AED675906209B8CD86FE1A79E0D3770AED38600278C29E6E55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.622{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{48A82B41-50A4-42D7-B403-B5D5FC29426F}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3F7F98FC-AA70-447B-8115-EB5A44909800}MD5=F4AF1310D8D92B88BAB00ECA2F49C398,SHA256=3130C6EC89917106856DA972EA6157791A6F8DD405164F86B7EF73F849A158DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3A0E2E7D-9FED-42CB-8877-33CF7980ECDA}MD5=544AC2AEF10A0AAC6646D5D372CC839A,SHA256=E402AAF80000D1AE4C9C731B2D45E9E1D707C1F9ED0935EF065968C47306E85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{38A89348-B3AE-479E-9816-8957D41F333A}MD5=7E65C5A57A575C58A5405595565EA22E,SHA256=9FA31C4A02F57CEF0DE517567F7D218DA51B530A387E6198F25B60967C43AEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{33E693A3-517A-4347-A45E-3E8F1A25B030}MD5=1A1A2950F1D4A9770DF78E6CD2BCACC2,SHA256=28EA58D31BC5379C5760FC79481AFFAD0E1A132AAC6C794D8C849D6BDED9AE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3039DC32-E634-4F64-AD60-9038F8E7D74E}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{2D2370BB-9EFA-4648-B021-63A266D97A51}MD5=B590C6A1DBD4BAE99FED3744E0898536,SHA256=FEA47174536A406B031F040F394417218427405C4EB30558D6126A1AA79F6005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{24A5753E-C22E-49F4-BC08-F780BC6B1286}MD5=F3EFEAA4A73DB4D7D39C729FDE3305A7,SHA256=8C33FC0D66799635812F0F5F96B35C699ACAC5753DB1FFA89DA9520C81CAE9F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1F6412A2-2B23-4074-A89D-9586B3CFBF11}MD5=9A987ABDC3B59D4D4E488190C758BC8A,SHA256=F9B1BF1FC533A009213B23911DBA90DF8E914BB93C458D7A86C89D8546AE1FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.591{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1CC42A14-06FE-4766-987D-39817BF3005F}MD5=3700764E031A12B2220A2C082EF7BBBE,SHA256=A772660D39E4150FB6017A0FDBDE096EB17128774678A018BFFEDCDB507101F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.591{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{19AC3423-5AC0-4CD7-9E2B-DB6C0DECE3C4}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.591{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{03152E59-DE8A-4AF5-8757-7FF15DC09A3C}MD5=25917526232EBDB7DE54634BFB5E6A33,SHA256=467251FCB3C564947AA615B69ECFC765763BBAA61B47CA13FD1895307E30125E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.591{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=A98EF91236D0A680740A3C0F10937087,SHA256=660FDBEDE1BFFF4F5F322F2DD862445A2BE9101828A32013843E5F6E0320D804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.591{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=CDD4A14258DC43D22C37F1E721AEC245,SHA256=0D9E19723D9ED66DD13CB8657808963130BAD94249F03228CCC68BB32FC360C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.591{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.575{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\appcache[1].manMD5=9C09D8D73BB5BB4E83BE6D75D117BCDA,SHA256=F34BC09B3486A486AABF2BE3A3E6728A5FCD17821CAF41CFAC78CE85A63C6AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.575{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=F98851A644D901C32D1152CF001C2A30,SHA256=8A450F4631B7F451F470B7E7EF723A872C962749001C75AB1E9A01FC2765766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.575{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=5B7A3FBF6CE7627737B7AE8F7F73AF2B,SHA256=E5C8A584A8EF5082455DF1B7D986CDF9160F0A5AFA0EC6FD360EAAB9A1A8C5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.560{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=FF638505C57813F0F9115CB2F853BC07,SHA256=18695997D547308B565AA0D9AC8FDF8981966A47AF431DCC943BCC882AB6ECB7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000042845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.560{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-4|C=S-1-15-3-15993189-1149757597-3280441496-4094800555|C=S-1-15-3-139472938-1339732804-1469114779-4031155563|C=S-1-15-3-1849407097-1086866290-155560606-3624675039|C=S-1-15-3-2015030808-1290041139-4103196845-2461361948|C=S-1-15-3-2973957182-1175190094-721927306-1883016034|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|M=microsoft.windows.shellexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|D=C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000042844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.560{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.560{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=E68A5D04BF606560BDC326154A025956,SHA256=C32FBB255C914DA8336038933E799C5FEC8D50A0661B78DAB9E312131E7B7637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.560{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=10D7D30E23DBC108EC78C03F9E741566,SHA256=99355DBE0DDE1F5390AF8BA6FEB736E85B00C13E8D08B560DFE2D7EC5465E8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.560{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D20D4B52F55421E4F0EE293FA394F274,SHA256=6594DB803F6BEAC699E3B4FE1BFFF9F1A6C8B7D1CB43A9A92A7D6979EE62B9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.544{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=766B33AB225A94D22C45803D32D1D2C4,SHA256=8BF750226E7E4720AFCD86820D0752946ABB11DB79EF62AFFA61EEC941AB5C20,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000042839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.544{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{3E1B8389-EC49-4419-879C-E39D12813A4C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 23542300x800000000000000042838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.544{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=6B559E6B268CC53FC0293A706E970550,SHA256=9179C223831AE54A2A21E24B1BDBD1D06C00098FA2A664F476756CEFA56C71E9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000042837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.544{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9DCF8604-CF4B-4F9F-A70A-F04DBACF7141}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000042836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.544{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6D0B01C8-411F-4D4F-8E82-29A9599F14E5}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000042835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.544{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C82C1E85-F940-4719-BF65-DBDEBD49C4A2}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 23542300x800000000000000042834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.544{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=87C5803AC86277335317BEEC5B252EF0,SHA256=8F7211EC0F4E0532DB653FECB4F605EB4C3C6C9879B138185DB4AAF7245646BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.544{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=1DE957E6ECB8E53F1849E98E56D5D8F8,SHA256=D60A1010C3D82CAABA7C755C3A6423D7A268BCDC9EA4F27B10E8E14FD84ACD24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.544{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.544{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=A6A758B9A843A9AE35166154D051C654,SHA256=59BEC20EBDB4ABAD19803E90044333A5781C755A3DDC0663A4A95E88AA0F45DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.528{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=4EA6D9CCAE439451E3EDC69589C21F52,SHA256=115EE9EFD86B0AB505977609DBC1409CAD55275ED187667B37C1F7453406AA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.528{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=7F25769992DF13C241A1F14C72781B7F,SHA256=C3F1170A49C7EE2CF721D222FA1F766543D0F69BBCB35BFA2C64453025365DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.528{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.binMD5=2477E1067EE108D32AA262307A357732,SHA256=C1A0FD9DA6CCA70C5D69C4E62FBDC08EBABCEAB018611E869B6F78EBABE9E640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.528{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D2ECB824C1EBD5CAD726A8FA730F83BD,SHA256=9BA9C472659B68EC59A470063958FCF4C1B9F95670B884F95FF690DA601CADA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.528{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.528{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.binMD5=1454E96AC56B9536AB32CCA75F5E5D45,SHA256=9568E2708BEE9FE90D3D981F9D52415DED574A95BF9525EEE961A2467C9F5325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=91784C62BBC0181E5D1A1939D62C7576,SHA256=7C5953F43236E76AD1EABF5FB4E75FDC98F73A7686BFF5C023843D16A53C2CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=E15FA9A83F9216A78A5E4AE2C2C08305,SHA256=65E0957B6D224D885497EE696AA97F94FE98D8BFBBD4F927508ABD645A4182BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=83CDB65FC5E3B9880848CA153945CD99,SHA256=E2E2AC74937053440DD9592C7CC1619F3290A042838C9922D69E1B5BFF985B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC7E4A319A0D34F189962415BBC17E1,SHA256=05B0959A76ADF01DE27FCC345BF53FAC509C98A021F5AE17AE5AEAD8E500717E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=94E8C0A2D77D4C6A4CC2AA5D6D71B3FC,SHA256=F0E0AA4CBFFAC78A340ADD726D7D94A090CE6D8E6DEFBC9673531B4E5053B05D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A2-616D-2B09-000000000402}4384912C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000042817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A2-616D-2B09-000000000402}4384912C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x800000000000000042816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=3F65ED27EE681BC5D4F69A5C271DB6A1,SHA256=63828079B72050681B6811C4AA76A79CF8FB5F51E04B1596DBD761007BFC829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=006B1BF929F2A82B7AD00727A9F1623C,SHA256=A9F72540A0C0F03453F87AC641EB31BF401D6BE7A92F4615E9C49C7725BC3427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=203D482240E2A13DE24F8F82A9037348,SHA256=5B64FA6B42BE7F59D4D48C4C85ED73B9311003133E8F02F04AE6FA198CD81ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\appcache[1].manMD5=5F027173844AA0ED63AE4AC12D3B615C,SHA256=72ADFCEA238F8F0B956A60BED2C609F825973CA4D52B5D92E3D41C51E15B40DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.481{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.466{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8F1661A60328777D70071A7E7450F9,SHA256=2FE7BC5E147AE22ABA80EEB3996715F238C753B6EB5DD5B56F2F18B3C958F7B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.435{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=08D33FDECF9DFDB3AAA55E46F4DDF872,SHA256=8890B44AAD4579F4798FAE71AF174F6AA9BF78A2556F77174D8B4E457E600EBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=134B2FB2E7188ED9BB83131C1F4907FC,SHA256=1D1EC260A84B289FDCEA6A538DE14870922F2FEDE4B45E10E138F239A8353562,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.419{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.403{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\855533271\3923659455.priMD5=2D61605026CA74ED5301578606464552,SHA256=84019A9745D574D378277A1084C237265451F0C45196348372A715711610EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.403{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\3339743440\902793749.priMD5=98C999EAE532EE8FCB19ED482C1C0B6B,SHA256=081F850F71892C895B1808104D3C2B5293448F0F6B9E5003FD1D69DF5BD8E8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.356{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.356{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.356{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.325{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3058E5FA19024C87B93C7C3047C0C4D4,SHA256=B67C5EE8B8F60D1E4EDFC9E0EDDF8772750BD2A37EB576BA9EF37F4B35066B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.310{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.294{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000042739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.127{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local59053-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.126{8D4DD44E-79A3-616D-3509-000000000402}3428C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59053-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.115{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local59052-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.115{8D4DD44E-79A3-616D-3509-000000000402}3428C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59052-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000042735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.089{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59051-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000042734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:55.089{8D4DD44E-79A3-616D-3509-000000000402}3428C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59051-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x800000000000000042733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.278{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.263{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.263{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595E5C27528165B484E9ECE88017DE23,SHA256=13620F267A7A2FC3E5FCDF05AA4A5404BB938F0DCEE4D191806078B7E5AF2A98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.247{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.247{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.247{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.247{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.216{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.200{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.200{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.200{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.200{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.200{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.200{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.200{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.186{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.186{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.186{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.153{8D4DD44E-79A3-616D-3809-000000000402}30044764C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.153{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6A0C82811045DB06DB5496D5F667B6,SHA256=9AE82DF1AC8CD1CC9FB0AA7C9FCEF74870C28C0B2C97426836C1A72DC4C05807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.122{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.106{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.075{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E747DF11381505732633863779EF16C,SHA256=C7424BC3B30DED079348FEA0C229481D62B4E1F862EA7E4A8E019740372226E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.062{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.044{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.044{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.044{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.044{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.044{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.044{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.028{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.028{8D4DD44E-79A3-616D-3809-000000000402}3004916C:\Windows\system32\svchost.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+21b54|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+2a21d|c:\windows\system32\appxdeploymentserver.dll+15830f|c:\windows\system32\appxdeploymentserver.dll+ae5a4|c:\windows\system32\appxdeploymentserver.dll+929c4|c:\windows\system32\appxdeploymentserver.dll+19e0c|c:\windows\system32\appxdeploymentserver.dll+2bffd|c:\windows\system32\appxdeploymentserver.dll+2bdf9|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.042{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefreshC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx 13241300x800000000000000042632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.028{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|B=C:\Windows\system32\wwahost.exe|M=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000042631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|M=microsoft.aad.brokerplugin_cw5n1h2txyewy|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|D=C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\|PFN=Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000042630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.013{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.013{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000042628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{09EEE5DF-4473-4117-8EBA-614B8043038E}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000042627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{F2E8EE33-707C-4B87-B75F-FFD35C173E2C}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000042626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{073C8BCF-57E5-4EFF-A6B3-BA3B952AC501}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000042625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{3A28C35A-74B0-4192-9989-417E403A2CD2}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000042624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5B945C5B-D205-4345-848C-35BF0EC7E504}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000042623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C645C86D-6267-4B69-AD74-10FB7E5529E8}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000042622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F7B12F7A-3BEA-45F0-BE78-D7C8102E59AD}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x800000000000000042621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{25B69401-5032-4843-AF27-2BFED87BB032}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000042620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6971ECA4-B576-4BC8-B8FA-A591523A0C0F}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x800000000000000042619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D0893431-C3C1-4C8E-90FA-F68B37FF2756}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000042618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{BB6DA5F9-50FB-4926-ABC9-9D530B75B970}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000042617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{681090B4-5E8C-4642-A18A-A5E682197A81}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000042616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C5E2E335-77B9-4DAB-86AA-25ACB1B66AAE}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000042615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:57.013{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A8992261-6D2D-4BF7-BAD4-015FA342D2EB}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000042614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.997{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E6CA24BC-EC25-441C-B9B9-092F338CBDC3}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000042613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.997{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9E2416DD-AC74-4487-B0E9-F711EBDD16B6}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000042612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.997{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{342287F7-2727-4F47-96F7-95C128688647}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000042611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:56.997{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{72B9E57D-A840-4B8B-8882-AECD8806CBA9}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 23542300x800000000000000029694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:58.517{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B6A21C70A8CF1EEECAC0914682138A,SHA256=7818C97C2193F151C66554BCE5E8C63CB41F481264E04D2C4852C7AEC97C4951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.950{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.950{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.935{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.935{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.935{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.935{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.935{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.935{8D4DD44E-79A6-616D-3A09-000000000402}28364432C:\Windows\System32\ie4uinit.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ie4uinit.exe+2d19|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.936{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXEC:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig 23542300x800000000000000043501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.903{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816958CDE47B78F90C9FB3FCF9F06B2A,SHA256=DDA4BBA6C1CD5AA25F24D263D34D043BA512D005844C3975244CBC34DDB6F41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.872{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3C2E21007C4BC032D65607D032825F,SHA256=FDD167416F50042F77BC49E191AE7E2AA650E40A9BE09A43005CCB3475F6E3AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.856{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.841{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.825{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.825{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.810{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.810{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.810{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.810{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.810{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.810{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.810{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.810{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|M=microsoft.xboxgamecallableui_cw5n1h2txyewy|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|D=C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\|PFN=Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000043434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.810{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{4B9E9B3E-742E-41E6-9C8F-2C77AA5DB0F3}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000043433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.810{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C90D6BD0-7EF7-45C7-9AAB-100F8173952F}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x800000000000000043432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.810{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{88094EB2-0857-48C0-9EEF-78E87F69CA5D}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x800000000000000043431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.794{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{70653B6B-494C-45BC-AAB5-DA3B0635F50C}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x800000000000000043430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.794{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.794{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.794{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51FAAE597AC792F2F49407C75C4A3D4,SHA256=8DC654125407F6A2DAC5AE43F3939919DF223DD36674FA6CCA703CA03827EC28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.778{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.763{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.747{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.747{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.747{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.731{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.716{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923C1539AB37E65160E360FD3AB28E82,SHA256=E93B558B7E40E21C9CFA70854AEA9E15A9B27077636B94FD5F1CE666A36D6FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.700{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\MiracastView\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.700{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.685{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.685{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.685{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.685{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.685{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.685{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.685{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.669{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.669{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.669{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.653{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C682548097BF45C979A6E09B44D984,SHA256=CDCCA7EB58B6F3ED5C2D758103AAC5C7B374FA341F228D6CCB7DA6569601C573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.638{8D4DD44E-79A3-616D-3809-000000000402}30044764C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.622{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.606{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.591{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.591{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|M=microsoft.windows.secondarytileexperience_cw5n1h2txyewy|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|D=C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\|PFN=Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy| 10341000x800000000000000043303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.575{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.575{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.575{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FFCD19E1-D740-4D98-842A-DC91D649D633}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 10341000x800000000000000043300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.575{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.575{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.575{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.575{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.575{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9D3C6F60-35EF-48D0-955E-E7B519B0AE24}v2.26|Action=Block|Active=TRUE|Dir=In|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 23542300x800000000000000043295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.575{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.560{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.560{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17BFB47199EDEA6AEF8D096A5E5CC32,SHA256=9BF25BB77BE8CC1E2D9E8FF4668F741D81EA1C95BABBBA1DEBCDA86B0AB9F091,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.544{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.544{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.544{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.544{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|M=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000043288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.544{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.544{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.544{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.528{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{214E373B-F2A7-4C13-BFC7-919882AB5B27}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 10341000x800000000000000043280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.528{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{BEE62548-B6EE-49A6-8454-10F801C24A72}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 10341000x800000000000000043273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.528{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437AE03C6467FD1AD669647821EA860C,SHA256=B0818F52E247175CD6BBE136E76024B588985656DD30C0D90FAE98198B9B0AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.513{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.513{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.513{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.513{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.513{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.513{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.513{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.481{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05DA8B6A9D22CB7D2EC780A425EE45F,SHA256=287E27DC63E5DBE6721B348883EA1F3585CFD58A627EF5DEF2B9B0C9FE8ACA9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.481{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.466{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554E1F6D0F6EDDE6B90C9EEF93A8C9F5,SHA256=2A8F11F82CC1E902AED9B4FFCE39A7DEE0B949CD9DDD402ECD737EECFD852279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.450{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.435{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.435{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.419{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.403{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.388{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.388{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.388{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.388{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.388{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|M=microsoft.windows.apprep.chxapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy| 23542300x800000000000000043171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.388{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000043170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.388{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{4532D913-BA3E-42EC-BA15-7C476144B347}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000043169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.388{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{ACD87CB9-889C-4ED2-ACA3-835D0077BA0C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x800000000000000043168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.388{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{857F6879-24C9-463E-AC31-022E03758FF8}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x800000000000000043167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.388{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{2DF27489-E1CB-4583-8880-0B27C04A2591}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 23542300x800000000000000043166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.372{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000043165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.356{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|M=microsoft.lockapp_cw5n1h2txyewy|Name=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\|PFN=Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy| 10341000x800000000000000043164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.341{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{CCBB62AD-B0AA-4F5D-AA1B-E458A7A4AB82}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000043157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.341{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1D7FF2BA-3E03-467C-8CBB-CB96FFEDE092}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x800000000000000043156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.341{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6EF6D6DF-B842-412D-B4C7-1CE38A6167BC}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 10341000x800000000000000043155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.341{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7495A2CC-6093-4648-B48D-573FF3CE726C}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 10341000x800000000000000043151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.341{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C7432403F230426878975B85C98301,SHA256=35279ABE8F643E0A7A0922CADF62543D5D629AF7EEB328C6FAF2EECE7EF29FA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.325{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.310{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.294{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5251682D56FD77624EE37D5067F48F5,SHA256=7554ADF5289BF28AE26D0E22E0125CA450A1709FF4E29313B3D3D3786EE48D74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.278{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.247{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.231{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3740187008-2201179595-1268207648-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.231{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.231{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC8BF688E39EC90810B8C96592A28DB,SHA256=80C37863F7FF3F499D4B7395F4E1EFAADFB3FD38D5D083124B2BAF1FFFCF954C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.200{8D4DD44E-79A3-616D-3809-000000000402}30041448C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3709-000000000402}1488C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.169{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633S-1-5-21-3740187008-2201179595-1268207648-500v2.26|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|C=S-1-15-3-1|C=S-1-15-3-9|C=S-1-15-3-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|M=microsoft.accountscontrol_cw5n1h2txyewy|Name=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\|PFN=Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy| 10341000x800000000000000043062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603A803B319562242EF3385B6716C337,SHA256=7778B09D22983B9A331A26E8518DB3A270C9C4F62ECB29D1CC1FA131BDE67071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.169{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000043047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.153{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{895CF97E-892E-48C9-9B95-9E583FFA59BF}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000043046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.153{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FC8034F0-DEF2-4817-B352-37EDA7F6E1B2}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x800000000000000043045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.153{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{995F4F26-C8AA-4C54-9E28-5285FF06065C}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x800000000000000043044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:41:58.153{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FD6C2A01-F51B-4A5D-912E-CDF0D32ADBC8}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 10341000x800000000000000043043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.153{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.153{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.153{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.153{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.153{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.153{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AFCC81A3605438AD572208B3DCF1EB2,SHA256=AD4358C4539103251A08B3A7D9B7A29B0EA29E2C7C463707558EF5459C24FE92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.138{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.122{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.122{8D4DD44E-79A3-616D-3809-000000000402}3004NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.106{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72884CCEF5F1996571B153DF10B07989,SHA256=B8E20ED67B33EC72450EBAEFCB8A5BE067C3E16E00554621B13E2C77B6CAF235,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.106{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.106{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.028{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000043020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.028{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000043019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-79A3-616D-3609-000000000402}48003452C:\Windows\Explorer.EXE{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+551c74|C:\Windows\System32\SHELL32.dll+5516d0|C:\Windows\System32\SHELL32.dll+551844|C:\Windows\System32\SHELL32.dll+1cc52b|C:\Windows\System32\SHELL32.dll+1cc3e6|C:\Windows\System32\SHELL32.dll+e4fe1 154100x800000000000000043011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.017{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXE"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000043010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:58.013{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:57.966{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.997{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71198013205DA0E16EB7DD48393713FF,SHA256=CE63EB3ABDFBFABD3748C8FF0F31C835CE7B21C48DC4C7EC787F05D06401DBD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.919{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.919{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.919{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4159.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.857{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4159.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.857{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI40FA.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.763{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI40FA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.763{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI409C.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.669{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI409C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.669{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI405C.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.607{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI405C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.607{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI400D.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.560{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFD169DCCE3330C03C6606912C88093,SHA256=66C8C547F55CADD6EB80FF5C7235373496AC8ABFA3F1C7F2D5DFE92A6DC7B517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:59.533{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB750D6C56536A60B7979D67AA9A8D56,SHA256=F91660D95AE0720B92FF6B56CC08DF7792C4AE23EA251F4F5823D4FB6E0C9D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.528{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI400D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.528{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3160EF0F96368111607EAD5C9962FCEA,SHA256=D21CBD201518EC93A05836BA5BBDBC579494BBD0063160B748F8A4B1198A3A99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A7-616D-3D09-000000000402}3804C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A7-616D-3D09-000000000402}3804C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A7-616D-3C09-000000000402}4408C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A7-616D-3C09-000000000402}4408C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A7-616D-3D09-000000000402}3804C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A7-616D-3D09-000000000402}3804C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A7-616D-3C09-000000000402}4408C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.341{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A7-616D-3C09-000000000402}4408C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:59.096{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B01E83EC04E1915B89E458D1856B8BF,SHA256=0A531F531342844E4E77365476D64B8F3052253086A3488956133293CD1CFFA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:57.201{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com50933-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 10341000x800000000000000043525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79A7-616D-3D09-000000000402}3804C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-79A6-616D-3B09-000000000402}49924880C:\Windows\System32\ie4uinit.exe{8D4DD44E-79A7-616D-3D09-000000000402}3804C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+176c|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.329{8D4DD44E-79A7-616D-3D09-000000000402}3804C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x800000000000000043519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79A7-616D-3C09-000000000402}4408C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.325{8D4DD44E-79A6-616D-3B09-000000000402}49924880C:\Windows\System32\ie4uinit.exe{8D4DD44E-79A7-616D-3C09-000000000402}4408C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+1743|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.308{8D4DD44E-79A7-616D-3C09-000000000402}4408C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x800000000000000043512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.107{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:41:59.107{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.950{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+74a3|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.919{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.919{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.638{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EAC5CED7EF2F9FB1C7698DBC726E4A,SHA256=4F1249F0EC4FEEF99C85A861D51ED17280AE8242D7B7C997E0942CFD5166D5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:00.580{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34682AB6B0E0CE559C12C88FB666B082,SHA256=9632E48EB4B445143919965AEA8268E74BB4B4242FBB282563CBBB4559AA8613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.532{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\Favorites\Bing.urlMD5=5D42DDDDA9951546C9D43F0062C94D39,SHA256=E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000043554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.263{8D4DD44E-79A6-616D-3A09-000000000402}2836C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt2021-10-18 11:13:28.435 23542300x800000000000000043553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.263{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txtMD5=9902BAEDC06FA4A8681E696EE6C73C06,SHA256=D0628FA63102EE74053BC6EFDD297AED794848F5DC300DAA7E391F4CF04E8511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.200{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.bakMD5=840DF767CAC9367CBBFD774EF011EAF3,SHA256=B2BAC5F3DE47D5C7ACDC0F8AFC4FFD4740260880C0A0CF4E4383495AB1AA98DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.200{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4235.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.076{8D4DD44E-79A6-616D-3A09-000000000402}2836ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4235.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:57.580{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.825{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RF754906.TMPMD5=146F33F7E48C8BFA5A7FA86A3852408B,SHA256=E402EB270BCFF1B4921EEE83682974D135F38A51CD1F842141E191CAA38893B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.778{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RF7548d7.TMPMD5=CE4EA1958BD7A54E6FFE7BD3A599A642,SHA256=6672E28A3AD07202118B42BBAC559D6A65AF8B3829B7AEB2F18B3EB70027DEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.747{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.747{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.747{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.747{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.731{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F58F1E44F48CC0DA16F54D053D27749,SHA256=6009B68197B018990823F99FBC3237177C6861B91176670EBECEF2C3479C95BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.731{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RF7548a8.TMPMD5=595763DFD2DAB977091A843EBCF1164F,SHA256=C7A2B95661E15C18F8407CD81FBDE33356781C26DF3C60ED914AC534D35CEF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:01.596{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8871289CCB5C063CA47004AB5F1ED99,SHA256=95CD602445BB177F14064EC487F2E745C7F7D998412FDEB5D333E66B1BC93DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.669{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RF75486a.TMPMD5=DADFF5A5756573645ADC5785A8099647,SHA256=CCF4C19E821EBC9A362A58A3B6CCC2B03674297D1777C6036A83EDF672C16A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.606{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RF75482b.TMPMD5=D252F6F15CAEDF365FE2BA1989DBE20F,SHA256=82FB3B41C3D72F27391B1D27B42C99932F26CF5C6E817B65AF5AAD293BC24ACB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000043578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:01.466{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXEHKU\S-1-5-21-3740187008-2201179595-1268207648-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214F9-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000043577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.153{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79A9-616D-4009-000000000402}4340C:\Windows\System32\unregmp2.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.153{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79A9-616D-4009-000000000402}4340C:\Windows\System32\unregmp2.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.091{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.091{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.091{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79A9-616D-4009-000000000402}4340C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.091{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.091{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.091{8D4DD44E-79A3-616D-3609-000000000402}48003452C:\Windows\Explorer.EXE{8D4DD44E-79A9-616D-4009-000000000402}4340C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+551c74|C:\Windows\System32\SHELL32.dll+5516d0|C:\Windows\System32\SHELL32.dll+551844|C:\Windows\System32\SHELL32.dll+1cc52b|C:\Windows\System32\SHELL32.dll+30b7d|C:\Windows\System32\SHELL32.dll+e4fe1 154100x800000000000000043569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.092{8D4DD44E-79A9-616D-4009-000000000402}4340C:\Windows\System32\unregmp2.exe12.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Media Player Setup UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationunregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=0AFAF8B10C3D2B009DED280C875EA3EA,SHA256=CFC5A8170AF2CCB8F846BA738E5173596A4C35C023BCE5E6EB04E07779283188,IMPHASH=DFC94E57160B0CE8835243B5D92F3D9E{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000043568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.060{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A9-616D-3F09-000000000402}4308C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.044{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79A9-616D-3F09-000000000402}4308C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.044{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A9-616D-3F09-000000000402}4308C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.013{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.013{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.013{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.013{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.013{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:01.013{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:01.111{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82B7292B9F0A3A6637B6C85B9E0855C2,SHA256=3B18112A83325F4AB6E26A7F7F23948D414015023DE1EE25413E6537783AB439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.981{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.981{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.981{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.981{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.981{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.981{8D4DD44E-79A3-616D-3609-000000000402}48003452C:\Windows\Explorer.EXE{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+551c74|C:\Windows\System32\SHELL32.dll+5516d0|C:\Windows\System32\SHELL32.dll+551844|C:\Windows\System32\SHELL32.dll+1cc52b|C:\Windows\System32\SHELL32.dll+30b7d|C:\Windows\System32\SHELL32.dll+e4fe1 154100x800000000000000043601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.994{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdminC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 11241100x800000000000000043600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.888{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnk2021-10-18 11:13:26.038 23542300x800000000000000043599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.888{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnkMD5=859920D477EE7ED0174243DFF586E5E3,SHA256=1F8B2760E210762D02665D55224973A3EE73E43B7E0F5398AF35E86861B7CB50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000043598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.872{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnk2021-10-18 11:13:26.053 23542300x800000000000000043597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.872{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnkMD5=D5CF13D810C697DFC19F42E6D44FE391,SHA256=CDE1DBC52A9ED24304BE4A6EB10EBDD3C80F7016F136519CA3504F04539988E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.794{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RF754ccf.TMPMD5=7FC19D6C80DEE4899E176EFB302F9666,SHA256=CD77BE276D187CDD63DA760ACE964165EC65223337443BE3DEDE5F8E1AE4E92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.763{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.dbMD5=A7F8296CDC5152AB7651B283020EEE4F,SHA256=8A553E97AE3298F7478DF69DF7F5AB092CA144143ED387C935A84306F41DBCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.731{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BC774D00C7D78D53DFF6CE4C6CF977,SHA256=A9E9227C5112A730DFA99E1B70895503EBC5625B56F65D76431F4EB570329F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:02.611{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8E1CE35D1AA14997EDC0F56AA7CA9F,SHA256=1B759AAA4C6A2DCFAF9228357AB08AE16DBA6597F8B6E5E4D873C3667B3CB5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.700{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=006E3EBC3A2AC2D55398C0FCA9797248,SHA256=31B42224CF5DCCBA5B59FF47B859D5B4806B2B83ABD52DB24C57B818A2BDE74E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:00.120{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59054-false10.0.1.12-8000- 23542300x800000000000000043591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.231{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RF754a9c.TMPMD5=ADC21E05DB8825BC142EAA6F6B01B422,SHA256=6A24549FFA366D382C55911C735FE00016383FC91EBC54EC5AEB30A4DA361F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.122{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RF754a2f.TMPMD5=501E611760DE33E88FA230922E107DEC,SHA256=694BC6B0C40B466F697FD32C4F8DEECDE5EF9854782C00BA177E7484EB5097B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:02.028{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D34BEF57AA805DE24476942D34BEEB17,SHA256=D32CCE54FBCBD094C8F1ECF71CBF865FC1A15B200B4458DDCE8DD873747666E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:41:59.207{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com51089-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 11241100x800000000000000043658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.856{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (7).lnk2021-10-18 13:42:03.856 23542300x800000000000000043657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.810{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D694FD364AEBB6A7985101D92027154,SHA256=2CD278E41748116EE54D55A06569F11F1A76B399E180997968C2AA4C6490DFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.810{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17006D334A33ED406EED00A046EB443,SHA256=4F7125B6CC0D6017317632F80E6147FCE089292F42F36066F33C783EA887D102,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000043655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.763{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (7).lnk2021-10-18 13:42:03.763 13241300x800000000000000043654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1042SetValue2021-10-18 13:42:03.763{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXEHKU\S-1-5-21-3740187008-2201179595-1268207648-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x800000000000000029705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:03.627{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0050DCB60E8F21DED39DFD404C9D81,SHA256=807E58D03F44D21AB7A96789622C3842D4F5F990A95F4D32636391B808BECACB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000043653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:42:03.701{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe\REGISTRY\A\{9ea702d7-8e85-b262-dde0-e228b9986180}\Root\InventoryDevicePnp\swd/scdeviceenumbus/1\DriverVerVersion10.0.14393.0 13241300x800000000000000043652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:42:03.701{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe\REGISTRY\A\{9ea702d7-8e85-b262-dde0-e228b9986180}\Root\InventoryDevicePnp\swd/scdeviceenumbus/0\DriverVerVersion10.0.14393.0 13241300x800000000000000043651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:42:03.701{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe\REGISTRY\A\{9ea702d7-8e85-b262-dde0-e228b9986180}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2mouse0\DriverVerVersion10.0.14393.0 13241300x800000000000000043650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-18 13:42:03.685{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe\REGISTRY\A\{9ea702d7-8e85-b262-dde0-e228b9986180}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2keyboard0\DriverVerVersion10.0.14393.0 10341000x800000000000000043649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.560{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.544{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.544{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.544{8D4DD44E-79A3-616D-3709-000000000402}14883144C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000043632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.544{8D4DD44E-79A3-616D-3709-000000000402}14883144C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000043631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.544{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000043630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.544{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000043629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.528{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79AB-616D-4209-000000000402}1412C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.528{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79AB-616D-4209-000000000402}1412C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.513{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1412C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.513{8D4DD44E-79A3-616D-3609-000000000402}48003452C:\Windows\Explorer.EXE{00000000-0000-0000-0000-000000000000}1412C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+551c74|C:\Windows\System32\SHELL32.dll+5516d0|C:\Windows\System32\SHELL32.dll+551844|C:\Windows\System32\SHELL32.dll+1cc52b|C:\Windows\System32\SHELL32.dll+30b7d|C:\Windows\System32\SHELL32.dll+e4fe1 154100x800000000000000043625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.520{8D4DD44E-79AB-616D-4209-000000000402}1412C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUserC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x800000000000000043624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:03.497{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3740187008-2201179595-1268207648-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x800000000000000043623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:03.497{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3740187008-2201179595-1268207648-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 23542300x800000000000000043622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.497{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4F45.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.419{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4F45.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.403{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4EF5.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000043619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:03.403{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3740187008-2201179595-1268207648-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000) 23542300x800000000000000043618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.341{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4EF5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.341{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4EB6.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.278{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4EB6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.278{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4E57.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.185{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4E57.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.185{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4E18.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.122{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4E18.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.122{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4DD8.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.060{8D4DD44E-79AA-616D-4109-000000000402}2020ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI4DD8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.013{8D4DD44E-5BA9-616D-1600-000000000402}12923384C:\Windows\system32\svchost.exe{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.013{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79AA-616D-4109-000000000402}2020C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:03.439{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4088C8E03E7370A4BC1BBD942A9376,SHA256=8A89DF59A0CB0D31695D1684360CFFA0AFF6387E145C0C2381CF6E5B5A545250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.981{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.981{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002788C:\Windows\Explorer.EXE{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002788C:\Windows\Explorer.EXE{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.966{8D4DD44E-79A3-616D-3609-000000000402}48003804C:\Windows\Explorer.EXE{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.966{8D4DD44E-79A3-616D-3609-000000000402}48003804C:\Windows\Explorer.EXE{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.950{8D4DD44E-79A3-616D-3609-000000000402}48003804C:\Windows\Explorer.EXE{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.950{8D4DD44E-79A3-616D-3609-000000000402}48003804C:\Windows\Explorer.EXE{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x800000000000000043694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.950{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE64B50701896053F0E4FD6B552466D9,SHA256=867DFC62F2B4EE41D66F80B4C3E11149FFF462D4BACDAA783E5BE09A978FED46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.919{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.919{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.903{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.888{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.888{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.888{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:04.627{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279E865B46BAFFA842B023BB8E18C46A,SHA256=0058EEEB26991103FF06016674DC155DBCCDE413B978EFB815C24EC125A4DF62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.825{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.825{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.825{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.825{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.810{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.810{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.810{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.716{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.700{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E67EACDDEC38A657A8C4D99C33CD95C,SHA256=2E93153F12D07F16EC4E5605B9B145EF16C52C6F7536F80BAEE1A48CC861CFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.544{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.528{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.513{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.513{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.513{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.513{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.513{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.497{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.497{8D4DD44E-79A2-616D-2B09-000000000402}43844936C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000043669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.497{8D4DD44E-79A2-616D-2B09-000000000402}43844936C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x800000000000000043668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.091{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E67EACDDEC38A657A8C4D99C33CD95C,SHA256=2E93153F12D07F16EC4E5605B9B145EF16C52C6F7536F80BAEE1A48CC861CFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.091{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5DF56EF0A24F6D203B64769005E63032,SHA256=E614625436FCE7B12D75BAC854F7A93ADFEB3D962E3E43937D16DEBF62993813,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.075{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.075{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.075{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms~RF7551d0.TMPMD5=6852E3A0BF1C01BB4DBFCB51C1A7C087,SHA256=74D6D8C58D0BEB0716EEECDC55366E193186924A616E057CD210F4104E5D85E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.075{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EA5423E76619151C05E37B6C9286016,SHA256=6A820E3676822C029700BC613BE28855483778C4B2723BEF11853E73E6FC40B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.060{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.060{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:04.060{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:03.997{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms~RF755182.TMPMD5=B9BD716DE6739E51C620F2086F9C31E4,SHA256=7116FF028244A01F3D17F1D3BC2E1506BC9999C2E40E388458F0CCCC4E117312,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:01.554{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com51270-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:05.767{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=037CAD0D0E507CF78BCB35154EE2475B,SHA256=5A0B395536517BB8CA5226F43FFB54E086068F157245331F90F51170F99F8A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:05.642{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE6C9EBBCCD9D2B6962E4939744293D,SHA256=BCCE985CCF3421CB76B6E21798929EC6C2621EA68230E44BC46243578175D394,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.981{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000043744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A2-616D-2C09-000000000402}19324604C:\Windows\system32\sihost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000043739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A2-616D-2C09-000000000402}19324604C:\Windows\system32\sihost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000043738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.966{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.950{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.950{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.950{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.950{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.950{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.950{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.950{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.935{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.919{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.435{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.435{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.419{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.419{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.263{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000043709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000043708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.263{8D4DD44E-79A2-616D-2C09-000000000402}19324780C:\Windows\system32\sihost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.263{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.263{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.169{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.169{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.153{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:02.752{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:06.658{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE98D34E6F4B37450EBA603C4E03AFF,SHA256=431CEE33FF39687ED2D99E25047488D56F3DD1C815D0D03CBFEAAB6D687634D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.950{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6217442B3186978D59BA535A8D7B0EBA,SHA256=A1FD13AE744E23B8753CABA57C475AAE4959F89BC954C72A9A38CCE658037F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:03.865{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com51464-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 10341000x800000000000000043887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.903{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000043886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.903{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 23542300x800000000000000043885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.903{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486BC0107ADDFC0CD542CCD3EDEFAD37,SHA256=589C7A4B2948E880CA7B01FA2B9C64906BDCE284CD77242A6CE307934EB232C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.872{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBC926EBD07DFF6815B594452365074,SHA256=4E7296C13E574BB1B528EA127BFEA3A396E912FE646B0AE69ED96D2C1DFC53F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.856{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.856{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.856{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.856{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.856{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.856{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.856{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.841{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.841{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.841{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.810{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.810{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.716{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.716{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845356C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845352C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845328C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845300C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845300C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845308C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845316C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845304C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845308C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845316C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845304C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000043848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}4384912C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.700{8D4DD44E-79A2-616D-2B09-000000000402}43845312C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.685{8D4DD44E-79A2-616D-2B09-000000000402}43845300C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.685{8D4DD44E-79A2-616D-2B09-000000000402}43842036C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.685{8D4DD44E-79A2-616D-2B09-000000000402}4384912C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.685{8D4DD44E-79A2-616D-2B09-000000000402}43844936C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x800000000000000043842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.685{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C08E3869A439227EEAF12EA4AC96183,SHA256=D3B38624F746F3D17C7E3A07990EEA6AA75902FF0C3E7E8556BB6B29C1C67FF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.669{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.669{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.638{8D4DD44E-79AE-616D-4609-000000000402}42765124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.622{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.622{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.622{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.622{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.622{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48005276C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.606{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79AE-616D-4609-000000000402}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB72FFD21574B14D8BFD6B12C447D,SHA256=8F5FEBF85DEE99C89C5C4EDBACB7389D3FFCCCB5B03E331D01F1EB10C894B747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79AE-616D-4609-000000000402}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.466{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79AE-616D-4609-000000000402}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.342{8D4DD44E-79AE-616D-4609-000000000402}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.388{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.372{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.356{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.356{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.310{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.310{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.294{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.263{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000043773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.263{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000043772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.263{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.263{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.263{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.263{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.231{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.231{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000043766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.231{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000043765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.231{8D4DD44E-79A2-616D-2C09-000000000402}19324780C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.231{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.231{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.122{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4849CC20869A7EEF23097804F42A7EF5,SHA256=01CB1F37810A52C45988E4B606DDFBF89F74A8CEAC454D484C5F042DE49590F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.091{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67D79CD88DA3E729F8686EAA31F32714,SHA256=A6D16D1A44579DE0397AE442A379FA0FFE4D653CBDE9A32288928A18AE44BB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.091{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C78E54262A89ECE976875F886B53FE,SHA256=BE38958F39200DC5D2D38325B162E336CE62E28542A15F28A67B2AE4A7758847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:42:06.028{8D4DD44E-79AD-616D-4409-000000000402}104\TDLN-104-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x800000000000000043754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-18 13:42:06.028{8D4DD44E-5BB9-616D-2A00-000000000402}2996\TDLN-104-41C:\Windows\system32\svchost.exe 10341000x800000000000000043753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BB9-616D-2A00-000000000402}29964236C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000043752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BB9-616D-2A00-000000000402}29964236C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.028{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:05.997{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:07.851{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B50D78238C77CC38AE4CE6A263DF324,SHA256=5AC22F2AE978532E7730462754378FB4BB7B469F9AE29C577447B0700BACCBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:07.664{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2E92A66B17D4BECEB335C65BB928A0,SHA256=E3D91CD93CEF928BBB6A927DF277C5C78A9E77FB8834B516A0B85EED75CF4D1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.986{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79AF-616D-4809-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.971{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD89F54EA5A9DEEFF48B6015DDA497C2,SHA256=E67430BBBED9E4966B141B95C883991913197DABBE18AAA0D06D38269976BD96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.971{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.971{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.971{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.971{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.955{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79AF-616D-4809-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.955{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79AF-616D-4809-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.847{8D4DD44E-79AF-616D-4809-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f830|C:\Windows\System32\execmodelclient.dll+1e079|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000044136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f8ac|C:\Windows\System32\execmodelclient.dll+1e05b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000044135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000044134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000044133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000044132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000044131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.814{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.783{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.752{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.752{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.752{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.752{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.752{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.752{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A2-616D-2C09-000000000402}19324780C:\Windows\system32\sihost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A2-616D-2C09-000000000402}19324780C:\Windows\system32\sihost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000044093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.721{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.705{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.689{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.674{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.674{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.674{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000044077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.674{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-10-18 13:42:07.674 23542300x800000000000000044076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.674{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.674{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-10-18 13:42:07.674 11241100x800000000000000044074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-10-18 13:42:07.658 23542300x800000000000000044073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 11241100x800000000000000044071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-10-18 13:42:07.658 10341000x800000000000000044070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3709-000000000402}14883144C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3709-000000000402}14883144C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000044067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000044066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-10-18 13:42:07.658 23542300x800000000000000044065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A2-616D-2C09-000000000402}19324604C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A2-616D-2C09-000000000402}19324604C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3709-000000000402}1488708C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 11241100x800000000000000044056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-10-18 13:42:07.658 10341000x800000000000000044055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000044054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 11241100x800000000000000044053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-10-18 13:42:07.658 23542300x800000000000000044052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000044050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-10-18 13:42:07.658 10341000x800000000000000044049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3609-000000000402}48001304C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3609-000000000402}48001304C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000044046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.658{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000044045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.643{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.627{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.627{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000044042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.596{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-10-18 13:42:07.596 23542300x800000000000000044041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.596{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.596{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-10-18 13:42:07.596 11241100x800000000000000044039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.596{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-10-18 13:42:07.580 23542300x800000000000000044038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.596{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-10-18 13:42:07.580 11241100x800000000000000044036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-10-18 13:42:07.580 23542300x800000000000000044035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-10-18 13:42:07.580 11241100x800000000000000044033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-10-18 13:42:07.580 23542300x800000000000000044032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-10-18 13:42:07.580 11241100x800000000000000044030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-10-18 13:42:07.580 23542300x800000000000000044029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-10-18 13:42:07.580 11241100x800000000000000044027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-10-18 13:42:07.580 23542300x800000000000000044026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-10-18 13:42:07.580 11241100x800000000000000044024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-10-18 13:42:07.580 23542300x800000000000000044023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.580{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-10-18 13:42:07.580 11241100x800000000000000044021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-10-18 13:42:07.564 23542300x800000000000000044020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-10-18 13:42:07.564 11241100x800000000000000044018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-10-18 13:42:07.564 23542300x800000000000000044017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-10-18 13:42:07.564 11241100x800000000000000044015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-10-18 13:42:07.564 23542300x800000000000000044014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-10-18 13:42:07.564 11241100x800000000000000044012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-10-18 13:42:07.564 23542300x800000000000000044011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-10-18 13:42:07.564 11241100x800000000000000044009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-10-18 13:42:07.549 23542300x800000000000000044008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.564{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-10-18 13:42:07.549 11241100x800000000000000044006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-10-18 13:42:07.549 23542300x800000000000000044005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-10-18 13:42:07.549 11241100x800000000000000044003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-10-18 13:42:07.549 23542300x800000000000000044002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-10-18 13:42:07.549 11241100x800000000000000044000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-10-18 13:42:07.549 23542300x800000000000000043999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000043998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-10-18 13:42:07.549 11241100x800000000000000043997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-10-18 13:42:07.549 23542300x800000000000000043996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000043995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-10-18 13:42:07.549 11241100x800000000000000043994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.549{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-10-18 13:42:07.533 23542300x800000000000000043993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.533{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000043992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.533{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-10-18 13:42:07.533 10341000x800000000000000043991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.471{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.471{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.471{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.471{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.471{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.471{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000043985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.471{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x800000000000000043984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.455{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B1717BA7FF056CF0E31B07C301F8601A,SHA256=03A319576E990F98DAF4CBC96B612F07E2497B3A501DCF25BB9492BDA2CEE8D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.377{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000043982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.377{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000043981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.299{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+14e60|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 23542300x800000000000000043980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.221{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943FE45E9F706FC6743F0215B2B2167,SHA256=8EC01DB3B1ECDCC7B5D7D785F41191A06E932BAA49967AE04E494B61A47F5905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.205{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F0E036CC8A231B049BAF04C2EBC4F9,SHA256=BDAA1AE51F2ECF7FBAD8F1328FA988964D434472C2F0F4CD5ED5493E932A3B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.174{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.174{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85C6DE38A0BCF546AD58CFD17F62691E,SHA256=6E20DCCFAB4292E01DF11AA4312D3694BC0267BC8B1CFEAC7DFE5DB62DC1BB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.174{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B622B98F0780A079DF188AEED7525886,SHA256=97FB520325E0013D029734D483A7962A2BCB6182A61BD40583F43A132E53FD0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.158{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000043974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.158{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000043973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.158{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.158{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.143{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79AE-616D-4709-000000000402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.127{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-5BA8-616D-0C00-000000000402}8484372C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79AE-616D-4709-000000000402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79AE-616D-4709-000000000402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.967{8D4DD44E-79AE-616D-4709-000000000402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.111{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A6-616D-3B09-000000000402}4992C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A5-616D-3909-000000000402}4668C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-3309-000000000402}5100C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000043891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.080{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+b8fc|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000043890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.028{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+c370|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000043889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.028{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 23542300x800000000000000029717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:08.679{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AE57872FB0852872296AA9E0A768F0,SHA256=0CBBA89BD436A90EF35BBFDE950414695E64B6B4B1EE50EA5F02C13A351E1078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:08.429{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:05.974{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com51618-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 10341000x800000000000000045242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.971{8D4DD44E-79B0-616D-4909-000000000402}57165708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000045240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000045239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+156961|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+156961|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+156961|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+156961|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+534ee|C:\Windows\System32\SHELL32.dll+84812|C:\Windows\System32\SHELL32.dll+8de1a|C:\Windows\System32\windows.storage.dll+162e0d|C:\Windows\System32\windows.storage.dll+162a4f|C:\Windows\System32\windows.storage.dll+156780|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53458|C:\Windows\System32\SHELL32.dll+84812|C:\Windows\System32\SHELL32.dll+8de1a|C:\Windows\System32\windows.storage.dll+162e0d|C:\Windows\System32\windows.storage.dll+162a4f|C:\Windows\System32\windows.storage.dll+156780|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5343a|C:\Windows\System32\SHELL32.dll+84812|C:\Windows\System32\SHELL32.dll+8de1a|C:\Windows\System32\windows.storage.dll+162e0d|C:\Windows\System32\windows.storage.dll+162a4f|C:\Windows\System32\windows.storage.dll+156780|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5343a|C:\Windows\System32\SHELL32.dll+84812|C:\Windows\System32\SHELL32.dll+8de1a|C:\Windows\System32\windows.storage.dll+162e0d|C:\Windows\System32\windows.storage.dll+162a4f|C:\Windows\System32\windows.storage.dll+156780|C:\Windows\System32\windows.storage.dll+15645a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157588|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157588|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157588|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157588|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157565|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157565|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157565|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+157565|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596f0|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596f0|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596f0|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9 10341000x800000000000000045219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596f0|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d2ef|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d2ef|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d2ef|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d2ef|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d946|C:\Windows\System32\windows.storage.dll+15d2cb|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d946|C:\Windows\System32\windows.storage.dll+15d2cb|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d946|C:\Windows\System32\windows.storage.dll+15d2cb|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80 10341000x800000000000000045211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15d946|C:\Windows\System32\windows.storage.dll+15d2cb|C:\Windows\System32\windows.storage.dll+15a64d|C:\Windows\System32\windows.storage.dll+15b43d|C:\Windows\System32\windows.storage.dll+1595ba|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c 10341000x800000000000000045206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae 10341000x800000000000000045203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 23542300x800000000000000045202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.955{8D4DD44E-79A2-616D-2B09-000000000402}4384ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\Apps.indexMD5=BE8939284DE8B7DBDE639090492D2601,SHA256=21E035EBBC5AA77806591D08C6169D3A3D40EBA5FA6CA47A9A54D6B41258B4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c 10341000x800000000000000045197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae 10341000x800000000000000045194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 23542300x800000000000000045193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}4384ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\Apps.ftMD5=6A59807EA646A11B2E15F545C5A004CE,SHA256=EDA8A87A29B213A4B36560DD9901D05E8AF4188B96C43043C2C1A7CB3C512F9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c 10341000x800000000000000045185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae 10341000x800000000000000045182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 23542300x800000000000000045181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}4384ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\Apps.dataMD5=EC6D0478285D04EC7E205AA26B607E12,SHA256=BBA1314B4588EDCADC18B980B3EEE2BF34A2F4FAEAC469D588E870CF4C76C2B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c 10341000x800000000000000045176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae 10341000x800000000000000045173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BB9-616D-2A00-000000000402}29965208C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000045171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BB9-616D-2A00-000000000402}29965208C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 18141800x800000000000000045170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-18 13:42:08.939{8D4DD44E-79A3-616D-3609-000000000402}4800\TDLN-4800-41C:\Windows\Explorer.EXE 23542300x800000000000000045169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}4384ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000045168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-18 13:42:08.939{8D4DD44E-5BB9-616D-2A00-000000000402}2996\TDLN-4800-41C:\Windows\system32\svchost.exe 10341000x800000000000000045167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BB9-616D-2A00-000000000402}29965208C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000045166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BB9-616D-2A00-000000000402}29965208C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000045165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c 10341000x800000000000000045159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae 10341000x800000000000000045156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}4384ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+15c594|C:\Windows\System32\windows.storage.dll+15e8ae|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c 10341000x800000000000000045146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781 10341000x800000000000000045144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae 10341000x800000000000000045143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+1603a6|C:\Windows\System32\windows.storage.dll+15d3d7|C:\Windows\System32\windows.storage.dll+15e869|C:\Windows\System32\windows.storage.dll+15a0c3|C:\Windows\System32\windows.storage.dll+159af0|C:\Windows\System32\windows.storage.dll+159532|C:\Windows\System32\windows.storage.dll+159325|C:\Windows\System32\windows.storage.dll+15979b|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25 10341000x800000000000000045142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A3-616D-3609-000000000402}48003344C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x800000000000000045141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}4384ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\0.0.filtertrie.intermediate.txtMD5=41474317807F6B908173C71391B3D835,SHA256=061F658705A8BB86659245CBF43DBB772DD0CAF2870E5F895758D6FFCFD7CABD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A3-616D-3609-000000000402}48003344C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x800000000000000045139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A3-616D-3609-000000000402}48005268C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x800000000000000045138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A3-616D-3609-000000000402}48005268C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x800000000000000045137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596db|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596db|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596db|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9 10341000x800000000000000045132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.939{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1596db|C:\Windows\System32\windows.storage.dll+154eee|C:\Windows\System32\windows.storage.dll+1576e8|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+1576a4|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+1576a4|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+1576a4|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+1576a4|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+157683|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+157683|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+157683|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+153fd1|C:\Windows\System32\windows.storage.dll+153efc|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+157683|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+153eb9|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+157683|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+153eb9|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+157683|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-79A2-616D-2B09-000000000402}43845804C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+153eb9|C:\Windows\System32\windows.storage.dll+15783b|C:\Windows\System32\windows.storage.dll+1577d1|C:\Windows\System32\windows.storage.dll+157683|C:\Windows\System32\windows.storage.dll+1571cd|C:\Windows\System32\windows.storage.dll+15644a|C:\Windows\System32\windows.storage.dll+16c1ae|C:\Windows\System32\windows.storage.dll+16bf25|C:\Windows\System32\windows.storage.dll+6892c|C:\Windows\System32\windows.storage.dll+68a80|C:\Windows\System32\windows.storage.dll+cc781|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.924{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43C760307B4787CC91FA5A51679784F,SHA256=1B1B2B2A755E3A8C7CA3EEC6D413B29C7083F0D7B623C9F26C320339F082CDEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+629f3|C:\Windows\System32\windows.storage.dll+648c3|C:\Windows\System32\windows.storage.dll+62904|C:\Windows\System32\windows.storage.dll+64e3d|C:\Windows\System32\windows.storage.dll+66b0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000045116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+62990|C:\Windows\System32\windows.storage.dll+648a4|C:\Windows\System32\windows.storage.dll+62904|C:\Windows\System32\windows.storage.dll+64e3d|C:\Windows\System32\windows.storage.dll+66b0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000045115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+63b0b|C:\Windows\System32\windows.storage.dll+62fe5|C:\Windows\System32\windows.storage.dll+62dca|C:\Windows\System32\windows.storage.dll+64df6|C:\Windows\System32\windows.storage.dll+66b0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000045114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+9ace9|C:\Windows\System32\windows.storage.dll+9ae74|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000045113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9fa30|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+cb257|C:\Windows\System32\windows.storage.dll+c8b02|C:\Windows\System32\windows.storage.dll+c90f8|C:\Windows\System32\windows.storage.dll+9a8cf|C:\Windows\System32\windows.storage.dll+9fa15|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000045111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c94c3|C:\Windows\System32\windows.storage.dll+9a820|C:\Windows\System32\windows.storage.dll+9a8b5|C:\Windows\System32\windows.storage.dll+9fa15|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000045110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+9ace9|C:\Windows\System32\windows.storage.dll+9ae74|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 11241100x800000000000000045109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.908{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cafa2793-e7ca-4dc0-80d7-ceeb6b335eee}\0.2.filtertrie.intermediate.txt2021-10-18 13:42:08.893 11241100x800000000000000045108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.893{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cafa2793-e7ca-4dc0-80d7-ceeb6b335eee}\0.1.filtertrie.intermediate.txt2021-10-18 13:42:08.893 11241100x800000000000000045107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.893{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cafa2793-e7ca-4dc0-80d7-ceeb6b335eee}\0.0.filtertrie.intermediate.txt2021-10-18 13:42:08.893 23542300x800000000000000045106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.877{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAD934B1A62C9F22799F06BB661566F,SHA256=0627EE1C48B2D30DD006D464A5C95AEEBA5A37D154EE0C1AFD0F0BF76A55B97E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000045105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.846{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x800000000000000045104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.846{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\Appssynonyms.txtMD5=1B40201D4198B50EBC59908171C9DFAC,SHA256=C7F8A34F43BA6FFA73D26B1BB601FD00AE59310E59E3AA6401721D9AB8E91A92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.830{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.830{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.783{8D4DD44E-79A3-616D-3609-000000000402}48002900C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A5CC7)|UNKNOWN(FFFFDFE6026A0351)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE60269FFD6)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000045100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.783{8D4DD44E-79A3-616D-3609-000000000402}48002900C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A5CC7)|UNKNOWN(FFFFDFE6026A0351)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE60269FFD6)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000045099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.768{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132790381286312067.txt2021-10-18 13:42:08.768 10341000x800000000000000045098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600319DC9065DCF3627AD0C3AA6ADA4B,SHA256=5720DB5EFB6F1D1DE65664BAF4518580C3736BC137A62BF697827ABC01E39F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.736{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79B0-616D-4909-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79B0-616D-4909-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79B0-616D-4909-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.585{8D4DD44E-79B0-616D-4909-000000000402}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.721{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.705{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.689{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.674{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.658{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.658{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.627{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.627{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.627{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.627{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.627{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.627{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.564{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.564{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.549{8D4DD44E-79A2-616D-2B09-000000000402}43845424C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000044767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.549{8D4DD44E-79A2-616D-2B09-000000000402}43842188C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 354300x800000000000000044766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:06.104{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59055-false10.0.1.12-8000- 10341000x800000000000000044765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.518{8D4DD44E-79A2-616D-2B09-000000000402}43842188C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000044764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.518{8D4DD44E-79A2-616D-2B09-000000000402}43842188C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AC-616D-4309-000000000402}1208C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 13241300x800000000000000044763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:08.502{8D4DD44E-79A2-616D-2B09-000000000402}4384C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-3740187008-2201179595-1268207648-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214FA-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000044762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43846140C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43846140C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845968C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845968C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.486{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845496C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845496C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43846120C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43846120C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845748C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000044709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845748C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346 10341000x800000000000000044706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845748C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000044695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845904C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845904C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845748C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346 10341000x800000000000000044684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845884C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845884C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.471{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846012C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846012C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845452C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845452C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846068C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846068C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845448C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845448C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846128C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846128C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846052C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846052C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845364C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43843960C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845428C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845364C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845424C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43843960C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845428C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845424C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43844276C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43844276C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846028C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43844980C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846028C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43844980C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845852C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845852C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845932C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845348C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845348C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845932C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845288C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845288C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845292C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845292C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845256C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845360C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845256C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845260C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845260C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845264C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43845264C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43842188C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43842188C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846136C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846132C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846136C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846132C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846128C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846128C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846096C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846108C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846096C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846108C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846084C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.455{8D4DD44E-79A2-616D-2B09-000000000402}43846084C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845520C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845520C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846052C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846076C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846052C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846076C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846068C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846068C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846060C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846060C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845992C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846036C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845992C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846036C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846028C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846028C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846012C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43846012C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845988C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845988C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845968C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845968C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845932C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845932C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845944C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845944C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845836C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845836C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845924C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845908C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845924C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845908C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845884C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845916C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845916C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845884C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845876C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845876C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000044528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845508C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845436C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845436C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845852C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845852C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845520C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845520C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845504C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845588C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000044519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845504C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845852C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845852C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845504C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845504C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845436C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845836C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845436C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845836C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845828C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845504C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845504C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845512C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845520C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845520C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845484C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845436C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845496C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845436C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845496C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.439{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.424{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.424{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.377{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+629f3|C:\Windows\System32\windows.storage.dll+648c3|C:\Windows\System32\windows.storage.dll+62904|C:\Windows\System32\windows.storage.dll+64e3d|C:\Windows\System32\windows.storage.dll+66b0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000044487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.377{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+62990|C:\Windows\System32\windows.storage.dll+648a4|C:\Windows\System32\windows.storage.dll+62904|C:\Windows\System32\windows.storage.dll+64e3d|C:\Windows\System32\windows.storage.dll+66b0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000044486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.377{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+63b0b|C:\Windows\System32\windows.storage.dll+62fe5|C:\Windows\System32\windows.storage.dll+62dca|C:\Windows\System32\windows.storage.dll+64df6|C:\Windows\System32\windows.storage.dll+66b0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000044485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.377{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+9ace9|C:\Windows\System32\windows.storage.dll+9ae74|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.361{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9fa30|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c|C:\Windows\System32\windows.storage.dll+cec1e|C:\Windows\System32\windows.storage.dll+1a6ef9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.361{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+cb257|C:\Windows\System32\windows.storage.dll+c8b02|C:\Windows\System32\windows.storage.dll+c90f8|C:\Windows\System32\windows.storage.dll+9a8cf|C:\Windows\System32\windows.storage.dll+9fa15|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x800000000000000044482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.361{8D4DD44E-79A2-616D-2B09-000000000402}43845800C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c94c3|C:\Windows\System32\windows.storage.dll+9a820|C:\Windows\System32\windows.storage.dll+9a8b5|C:\Windows\System32\windows.storage.dll+9fa15|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c|C:\Windows\System32\windows.storage.dll+cec1e 10341000x800000000000000044481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.361{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+9ace9|C:\Windows\System32\windows.storage.dll+9ae74|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 23542300x800000000000000044480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.361{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63F775EF6AA64B5351A753CE898356E,SHA256=2E0D5D524CE9CC8842F276428F3C398B9B4D3D515ADB6E9348283C245FB3E684,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.346{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\0.2.filtertrie.intermediate.txt2021-10-18 13:42:08.346 11241100x800000000000000044478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.346{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\0.1.filtertrie.intermediate.txt2021-10-18 13:42:08.346 11241100x800000000000000044477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.346{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7070cff6-3f9d-415c-b9ce-a864e4926938}\0.0.filtertrie.intermediate.txt2021-10-18 13:42:08.346 11241100x800000000000000044476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.314{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x800000000000000044475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.314{8D4DD44E-79AE-616D-4509-000000000402}3780ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\appssynonyms.txtMD5=0159FA2FCDF8F84DB30198B1B3F95415,SHA256=4123D6B7736C9764973415C8F03F58E76FB2FB0A08E8F55CE9165C0C631C955E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.252{8D4DD44E-79A3-616D-3609-000000000402}48002900C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A5CC7)|UNKNOWN(FFFFDFE6026A0351)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE60269FFD6)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000044473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.252{8D4DD44E-79A3-616D-3609-000000000402}48002900C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A5CC7)|UNKNOWN(FFFFDFE6026A0351)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE60269FFD6)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000044472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.252{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\settingssynonyms.txt2021-10-18 13:42:08.252 11241100x800000000000000044471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.252{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\appssynonyms.txt2021-10-18 13:42:08.252 11241100x800000000000000044470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.252{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\settingsconversions.txt2021-10-18 13:42:08.252 11241100x800000000000000044469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.252{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\appsconversions.txt2021-10-18 13:42:08.252 11241100x800000000000000044468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.252{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\settingsglobals.txt2021-10-18 13:42:08.236 11241100x800000000000000044467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.236{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1baf14eb-3550-4a5f-8dc6-f7e193c71cd6}\appsglobals.txt2021-10-18 13:42:08.236 11241100x800000000000000044466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.221{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132790381278189659.txt2021-10-18 13:42:08.221 10341000x800000000000000044465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.221{8D4DD44E-79A3-616D-3609-000000000402}48002900C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A5CC7)|UNKNOWN(FFFFDFE6026A0351)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE60269FFD6)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000044464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.221{8D4DD44E-79A3-616D-3609-000000000402}48002900C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A5CC7)|UNKNOWN(FFFFDFE6026A0351)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE60269FFD6)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.189{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.174{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A000748EC8647E9064AB158A60A1C9A,SHA256=7CFAC6D5B1450D49D653B95FC76CFF74657D5713D1DF791045FA6C34C2EC34CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.158{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.143{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.127{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-5BA9-616D-1000-000000000402}4961796C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000044212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000044160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.111{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.096{8D4DD44E-79A2-616D-2B09-000000000402}43845296C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000044157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.096{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.049{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.049{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.049{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.033{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000044152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.033{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.033{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000044150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.033{8D4DD44E-79A2-616D-2B09-000000000402}43845432C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 23542300x800000000000000044149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:08.018{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00B19002EAFAC5235B2E77E5856E6FA,SHA256=C359AB774DD9F263EFF404BC54C3E82069ED84DBB3B71C79944BED5ECACF5AD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.611{8D4DD44E-79B1-616D-4A09-000000000402}62446248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:07.656{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59056-false10.0.1.12-8089- 10341000x800000000000000045252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79B1-616D-4A09-000000000402}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79B1-616D-4A09-000000000402}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79B1-616D-4A09-000000000402}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.471{8D4DD44E-79B1-616D-4A09-000000000402}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.033{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EE931404B1E5CDB34A9E6D0F3C1FB1,SHA256=3F11186E538A8E4B7BEB53397F1CFA646796A8470B1BE14BF56FD56BCED0ACB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:09.033{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1D3AE3BEFB722163187ABE72E8BC02,SHA256=ED6D10D48E031DB9E00A2C945EE54448A2232F37A238FD9AB6E70D477DAC66D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:09.882{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C13788E91DAE1DDD7174EDB2834C6B1D,SHA256=9454BA1A57A8879B453BF1927F8996F98CFAD021B9485A908EBC0C65823B3ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:09.695{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8650E4EE33872A850EFFE72360F02C65,SHA256=9810E790CEEE9C0120A5D801A37CBE992F0A22AAE35AA57216DD4D4EB9A82F88,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:10.611{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007ff) 10341000x800000000000000045283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.549{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.533{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.518{8D4DD44E-79B2-616D-4B09-000000000402}62926296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.502{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.502{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9DC6193CAAAA45BD9ED13FA06AE022,SHA256=C4E44A03A9BC8BACFF12A3BCB8CECE7DB12929B118699581DE4AC79804704C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.486{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.471{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.471{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.439{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.424{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.408{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.393{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.377{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.314{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.299{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.299{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.299{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.299{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.299{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.299{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.283{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79B2-616D-4B09-000000000402}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.283{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.283{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.283{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.283{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.283{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79B2-616D-4B09-000000000402}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.283{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79B2-616D-4B09-000000000402}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.143{8D4DD44E-79B2-616D-4B09-000000000402}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:10.143{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A2AEE7BAE991067206B993D7CC84EB,SHA256=0E33E191B09CD8671FC976E7AEB047BBF4B29D1998A7DA397A6FA776E1BCB537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:10.710{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD258C7A936FA4B15D5435F80B3E4612,SHA256=4988E3917A4E41A76B035CA2DCABA9865C270ABA07917416727F366C50454130,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:08.649{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:07.993{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com51785-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:07.961{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 13241300x800000000000000045310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:11.986{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000045309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:11.986{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007570c2) 13241300x800000000000000045308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:11.986{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c41d-0x91dac6c6) 13241300x800000000000000045307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:11.986{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c425-0xf39f2ec6) 13241300x800000000000000045306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:42:11.986{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c42e-0x556396c6) 10341000x800000000000000045305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.892{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.892{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.892{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.892{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.892{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.892{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.892{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.486{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.486{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.486{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.486{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.486{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1200-000000000402}784C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.455{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.455{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.425{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.425{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.393{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.377{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.361{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.361{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B3-616D-4D09-000000000402}6400C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.268{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FA172258BBE6C369BB0FBAC04CD8F4,SHA256=8AF3C02D25B82AC6E45D572890C16E5556A267B85EBF97614F37AA0B392EB8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:11.726{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8407BC21F407F80BA495AC9DB7FE37,SHA256=089C76C2F6FA9513095EDF9D2994F6E303C2AB01E42BA7AAF599ACC367B77D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.939{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=16A2706CC64D09B638453D86F966C3FF,SHA256=494AB04244CDE07342EE0408F053FD9FB3E3340A9FFC878327334DAD65AE6E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.939{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBCACFD390209ED292B842CA168FF3D3,SHA256=9545319D2439F47B477B7719AF17A31669C09343D09A1EB2A233C2E45920C5D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.846{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.830{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.814{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.799{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.799{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.783{8D4DD44E-79A2-616D-2B09-000000000402}43842188C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.783{8D4DD44E-79A2-616D-2B09-000000000402}43842188C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.783{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.752{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.736{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.721{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.705{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.689{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.689{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.689{8D4DD44E-79A2-616D-2B09-000000000402}43845124C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.674{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.564{8D4DD44E-5BA9-616D-1200-000000000402}7844620C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.564{8D4DD44E-5BA9-616D-1200-000000000402}7844620C:\Windows\System32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.455{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D3DA29193D905C3821F5877EE08C7E3,SHA256=BFF46E0CFA34B9EBE5731904F79261F901DE89D1F2F18E809333DB7B38FAD06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767324DD23807C9380CD6D4E7E6E3C6B,SHA256=3AB373C009E93F035672CEEAAB43E770693A2DF85845D7F7B6B1B3877443D317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.174{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79B3-616D-4E09-000000000402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.174{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.174{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.174{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.174{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.174{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79B3-616D-4E09-000000000402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.174{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79B3-616D-4E09-000000000402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.956{8D4DD44E-79B3-616D-4E09-000000000402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:12.742{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC82B68B78A0AC71ED1E7CB2A532DC6F,SHA256=8BED0B98819C7452D6F952175E0AACA80E0B459E20F5FC07417713824E82E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:12.523{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1DA1CAD09C79E11235BFBE42BD268D5,SHA256=2264B9878088F01FADBCC9F7CC91C3093D4A0C79756CCCB102AFFB054B7669C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:10.630{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com51985-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 10341000x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.067{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59059-false10.0.1.12-8000- 354300x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.840{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59058-false93.184.220.29-80http 354300x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.835{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local64255- 354300x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.800{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59057-false20.190.160.73-443https 354300x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.789{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local56202-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:11.789{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local65500- 23542300x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.722{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDC1D7EDCF27E15A3133C5CF3EF9CEB,SHA256=B67E6EE5A28F8AE0BA7FF6326A858C73A5733D160E63942544E0940A81208198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.658{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.549{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.549{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.549{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.549{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.549{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.549{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.502{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.502{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.502{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.439{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.439{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.377{8D4DD44E-5BA9-616D-1600-000000000402}12926552C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.361{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.346{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.346{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.330{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.330{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.330{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.330{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.330{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.330{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.330{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000029728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:13.757{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE077DAA7157F8D7130EE4CDF6598AD,SHA256=576CA3D0EDE114DEC728D46D2F97ADA88EBD224196797B74297AD97D0F256304,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.470{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59061-false20.199.120.151-443https 354300x800000000000000045555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.450{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local49317- 354300x800000000000000045554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:12.259{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59060-false20.190.160.73-443https 23542300x800000000000000045553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.642{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36359B025F95EC8F87BC3B4271AA816,SHA256=9F24FBE226A142FCFCFD071738EFABC3E6DB518141A39610D743BB72195891F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.596{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.596{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.596{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.596{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.596{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.596{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.580{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.564{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.549{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.549{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.549{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271B57E75CAEA5FDD5FAAA657852C461,SHA256=9609D6F4BDB3C37105D8983714CC0A057E590B6AAB7600149CAF56C7A2C0AF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.549{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=16A2706CC64D09B638453D86F966C3FF,SHA256=494AB04244CDE07342EE0408F053FD9FB3E3340A9FFC878327334DAD65AE6E94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.455{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B6-616D-5109-000000000402}6708C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.439{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.439{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.439{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.439{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.439{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79B6-616D-5109-000000000402}6708C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.439{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B6-616D-5109-000000000402}6708C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.445{8D4DD44E-79B6-616D-5109-000000000402}6708C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{8D4DD44E-5BA8-616D-0C00-000000000402}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000045504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.424{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA6-616D-0A00-000000000402}620360C:\Windows\system32\services.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA6-616D-0A00-000000000402}6202660C:\Windows\system32\services.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.415{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000045495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA6-616D-0B00-000000000402}6281872C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5BA6-616D-0B00-000000000402}6281872C:\Windows\system32\lsass.exe{8D4DD44E-5BA6-616D-0A00-000000000402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BB4254ABDCC908B5253D49E727EF12,SHA256=78753C376001C6E557656DA56B2B2520A46158C552C90D9D102DD84513F699D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.392{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.377{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D88B7CA6C606DE243A9D04E4C320C6,SHA256=4CEBA6CC8E974B41BEACC523A795169FDD8FEB39D5E6EDE690AF1F23BDF194A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.346{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD795C1381FB6E7DDCD4D9F878CD7490,SHA256=91E9F465D0DA4D255DA52C3636B0DBC7E8C89444373C2E44F2088D784E38685F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.346{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A70869A866681CE944EA8E3F3951C7B,SHA256=BFCAE15B2C56572D0D1A7C11F04FD2553DA5AF05CEE05028E52943309FFF3FFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.236{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.236{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.236{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.236{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.236{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.236{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.221{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.205{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.192{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.192{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.192{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.192{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.192{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.192{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.174{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.174{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.174{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.174{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.174{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.174{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.158{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.158{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.158{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.158{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.158{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.158{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.082{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.082{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.082{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.082{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.082{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.082{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.064{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.049{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.033{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.033{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.033{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.033{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79B5-616D-4F09-000000000402}6560C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:14.960{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=333E97F1DF24CDF4F114F582EFB60CD6,SHA256=DD82DFF2127C23DEDD6D9FB5A0AA7B12BFDEDE8E93A9388FEB46536500050F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:14.757{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0270AF62FE7ED3C3D7BB44397449BA0A,SHA256=3C915B55C015FD1D4051F459529CDA72E682AB66A59D59C91449D4E89E2C079F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:13.500{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55411- 23542300x800000000000000045580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.783{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F23AABB75D8C579D36DA93B40904DD,SHA256=05C0C40E1C71B84ED59038BE04C171B22B7153F3631E939AD3288B6EE343BF95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.642{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.642{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.517{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.517{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.517{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.502{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.502{8D4DD44E-5BB9-616D-2A00-000000000402}29964236C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000045572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.502{8D4DD44E-5BB9-616D-2A00-000000000402}29964236C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000045571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.439{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.424{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.424{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.424{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.424{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B22949105140CC0E33605DFA7D979123,SHA256=0A98F2E41B5D197BB93E98E2318F9207B523B35ADCF54610D1DAD65EBEE1F3AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.424{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.408{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.408{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.408{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.392{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.392{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.392{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.346{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.330{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:15.127{8D4DD44E-5BA9-616D-1400-000000000402}10684684C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:15.773{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73D411EB69486C82E5D75BBDF17608A,SHA256=029762AFF50860E5E33BA7BE3DE32B7B81E6A5202DF7AB93F46C471AAE13D6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:13.663{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:12.946{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com52144-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000045583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.529{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local63252- 23542300x800000000000000045582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:16.767{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7C0F0EE64048C84E9964D05562175A,SHA256=905BBF01226871D3A1156289E1296CE87EFC6411E448FAAAE83E796F91CBA43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:16.773{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C12DA7668CC819325F9F92F0703675,SHA256=3432098AED9AA7CDF3C48DDF79E4E0B61C7A2CF76112F58182FF1514178484DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:14.620{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59062-false20.62.190.186-443https 23542300x800000000000000045585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:17.800{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9DD9E12C57E92AAED2CCCD7716EE45,SHA256=3FFDAE4891BF98EBE13761A2CF6811EB0F4843DCF53A4CE7C60EF976AAC8179F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:17.111{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000029737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:17.789{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF88B2F20EA11F7C8B4F0D5B889D2B3D,SHA256=6B7ED8FA4D97EC783451A6DDDE8E93F4D2F6029CC355D2FEB0E7CCD2968FEF14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:15.209{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com52330-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:17.117{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BB164E6D38011467A235C37DA99B3C0,SHA256=6686F503B911C29468ACE658A33CE687FE823C774906FEB533774A3CAE096828,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.924{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.924{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.924{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.924{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.924{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.924{8D4DD44E-79BA-616D-5209-000000000402}68406844C:\Windows\system32\cmd.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.934{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x800000000000000045611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.908{8D4DD44E-79A3-616D-3609-000000000402}48002836C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.908{8D4DD44E-79A3-616D-3609-000000000402}48002836C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.908{8D4DD44E-79A3-616D-3609-000000000402}48002836C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.908{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.908{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48005632C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48005632C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48005632C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48005632C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.892{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.861{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.861{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.846{8D4DD44E-79BA-616D-5309-000000000402}68566876C:\Windows\system32\conhost.exe{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.830{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79BA-616D-5309-000000000402}6856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000045594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.814{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186C7270E29DB38090E57E6C1AE4AEB0,SHA256=9E1E34ACDB71905518514C16E072CFC8E2B8CDF59348142040E7E25BD5ED44B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.814{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.814{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.814{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.814{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.814{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.814{8D4DD44E-79A3-616D-3609-000000000402}48006164C:\Windows\Explorer.EXE{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000045587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.812{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000029738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:18.804{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158F1323F20E6D23B46C99773E352E7,SHA256=3E55963C18B5DCB6841D004F508F48C7AFA8C489CD8721890BCBF794D48DB820,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:18.031{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59063-false10.0.1.12-8000- 354300x800000000000000045623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:17.562{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local49657- 10341000x800000000000000045622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:19.971{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:19.861{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D67C2BC8884EC374E6878C0BCB113DD,SHA256=B2E5E395C43FFE3BDACE8B1EFDF73E1C9A6048003136DB9289ACB7B4D20C2501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:19.486{8D4DD44E-79A3-616D-3609-000000000402}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=CF7BB7C73EEBF9504B46C827ED064F60,SHA256=F46620F73F2ABAFCB3622CE5B672314F18350E92B7BD6C765CAE5556A994550B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:19.002{8D4DD44E-79BA-616D-5309-000000000402}68566876C:\Windows\system32\conhost.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:19.820{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F63DA9AECFA403FDEA164989FEF8BE,SHA256=E4FDED3CB0B299E7C9E92DDDE92FE1D2896E0A6346120945603549002F9DB4F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:17.505{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com52510-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:19.398{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA4390796689E65217E7B67E9A1D5934,SHA256=5A5E4CD8E1963021C6EB418D34BE11871C2913EF4F929896CF173C806B887616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.986{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C660E7278BDF833309E16CC0143E928,SHA256=74B7DC095FFCC2B0FB1CDFECA0260EC206B8DDA800A6666AD8B9A0D164EB95DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.971{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=50766951CAF6EE8BBD09648F99357619,SHA256=8B803850F43393FA441C7B5EF234B262CBA804CFE4F614CE47647898B8202480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.752{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3451895F911153F52CDA81194E73D877,SHA256=0F3F66C73627AE7161A301CF19A9E562374245837214167E3AF6E1B870A5C4D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.424{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.424{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.377{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.377{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.346{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BB75F0A56E84EE518340790D6C7148,SHA256=653D546F915BDE08046E29FAB34718D606D8292E0E9C0330F4DE7B4D435679E9,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000045628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-18 13:42:20.299{8D4DD44E-79BA-616D-5409-000000000402}6904\PSHost.132790381389345152.6904.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000045627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.174{8D4DD44E-79BA-616D-5409-000000000402}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_quw0lzyq.xuo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.174{8D4DD44E-79BA-616D-5409-000000000402}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zlxb1aja.3rt.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000045625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:20.017{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zlxb1aja.3rt.ps12021-10-18 13:42:20.017 354300x800000000000000029743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:18.710{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:20.835{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE237444F64DC881D65E0E8C94B5B178,SHA256=D48AD5E727F1A05D6000CF6D29393E652DAAFCDE43A947A91958674B870225E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-79A2-616D-2C09-000000000402}19324780C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000045660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.986{8D4DD44E-79A2-616D-2C09-000000000402}19324604C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.846{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=600B3254634A1ED5B76C7F2BE65B8B31,SHA256=B4CBE515B3D45B874C092611F7B71444DE4F8B2D08188397F8BB28AE60BC3C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.799{8D4DD44E-79BA-616D-5309-000000000402}68566876C:\Windows\system32\conhost.exe{8D4DD44E-79BD-616D-5509-000000000402}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.799{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.799{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.799{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79BD-616D-5509-000000000402}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.799{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.799{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.799{8D4DD44E-79BA-616D-5409-000000000402}69047032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8D4DD44E-79BD-616D-5509-000000000402}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\9c5a5644a83be0edd530a86dfeac133d\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffedc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\9c5a5644a83be0edd530a86dfeac133d\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffedc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2dc94bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2da347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2da30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a386b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2d6002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2dc3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2da5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2da5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+a2da5c2b(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1946a6 154100x800000000000000045651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.775{8D4DD44E-79BD-616D-5509-000000000402}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" 11241100x800000000000000045650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.767{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.cmdline2021-10-18 13:42:21.767 11241100x800000000000000045649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localDLL2021-10-18 13:42:21.767{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.dll2021-10-18 13:42:21.767 23542300x800000000000000045648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.346{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=995D6BEBD4B74250FACEDE9B69147CFC,SHA256=F4A2A8C865A730CE3213F748BDFB11506B107380713D7C34593DAAD49F223C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.299{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8414D37A73C06FFC0F2888DF31D08EFE,SHA256=B5CD29FF02CEDAC9C0C2E9E80AC051B0D70C828CCA512792F46EF062F078BEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.267{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C7A9A2A1CF1D531631715548138875F,SHA256=1F524E21BE3D5FFCF13F95499B23F816734BF62AF0F847408E75FCC24D1DD17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.236{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90AC41C33B358536B85F90BA57B1F1FC,SHA256=D2497630471CD1EAE816DCE3B62C4FA0BAC94C6A280B1FC1901C20B1D63E5DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.189{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BB85635341BC493DED2D28D5B89D41E,SHA256=B97E54547EEEF7E812359CD004D177EEB30AAD5510CB448A129DBB6A91FFF049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.158{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=96209B941D8B978FA1BE60B46FBFE4DA,SHA256=EAE64E4BE5A6DAA54B1D733C1BC6E86354DE906619BAF7B5A037F45F686DE4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.111{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED23B3653B1DEC8671BBE9EBF6EA2AFD,SHA256=5AA0033DA401B24592999A26AAA203D694BD308F426F59B2D420643D18EDCA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.064{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E9A0514F179D595C61BC2F6841BFFCE1,SHA256=F3297D899E31B0304C2A10BA0B15FC1479C42F9AF953DF40F67C461EE450DE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.049{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF06F09AA89828099948966435E5B258,SHA256=CD039FB4194C73A27A2E79A126C17684F515D48A5C1E030523E791733155DDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.017{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14644A91A35B4F370ED2A92DB394CFB4,SHA256=9D56F995133B4D0B5D26862040624E97DA3FD63F14A510943596D0F2E1A961D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.017{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1B9D61062F129A36FCF84B48DD8BABBE,SHA256=E6E2172FA1C0655D7579339AADEAE6740A54D7B196E9AB50D76AA632F4E1183F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:21.002{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1ED684EA3A5FA27B7D3F53B2334D43A2,SHA256=4791199E8952D1ECB0668A9932161337688180394B961B3C4B276282B614571E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:21.851{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49E7E2302D729DBE4A148904EC860CA,SHA256=9E749DC6AA29F11A14E5853FA8D85F464A02966D1DFF6C56AA576CDC0672663F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:19.223{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com52652-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:21.132{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48136D995187EEF95F9C4A5682CD5C83,SHA256=7A1F78821BA92CA633F3D59525B53C312DB90BB01337B6E33814BB6A192A0821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.861{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.861{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.658{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EDDFD2D6CE8C517FF198FEFCF89390,SHA256=0A26FDEFE28E514368F44124D9A436A19E064425953425998EC110B4E0395958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.658{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B5EBB617043ADFA4002A380544B35B4,SHA256=DB0D152157006C7DBEB6E33BB8D3CF5D1019D8EA9948657E3AED37624D1B7AD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.596{8D4DD44E-5BA9-616D-1600-000000000402}12921416C:\Windows\system32\svchost.exe{8D4DD44E-79BE-616D-5709-000000000402}2904C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.596{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79BE-616D-5709-000000000402}2904C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.596{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79BE-616D-5709-000000000402}2904C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.596{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79BE-616D-5709-000000000402}2904C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.596{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79BE-616D-5709-000000000402}2904C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.596{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-79BE-616D-5709-000000000402}2904C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.142{8D4DD44E-79BA-616D-5409-000000000402}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.outMD5=F94027B4682F6F22C119104A834C6AB7,SHA256=4DEBA2814A4DF198125E6E43820F5D93098487C53F7D6EE2607C5326B92BE028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.142{8D4DD44E-79BA-616D-5409-000000000402}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.cmdlineMD5=F6AA8D763D944EC331520EDD2CC39D2F,SHA256=6BC4A3D728D38B7D04BD76273821B7D3AEE0832F5DE4ADCF87BBAA7E1AA63E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.142{8D4DD44E-79BA-616D-5409-000000000402}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.142{8D4DD44E-79BA-616D-5409-000000000402}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.dllMD5=0F955FEDC6CD537D93C28F62C80246F0,SHA256=1099B5EB649EC0DD15F42D9C38C2FE758C7993D8C1961CD3C3AAD408719B8D69,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000045689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.127{8D4DD44E-79BD-616D-5509-000000000402}6180ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\CSC874D57A4F48240AF8DA013F5F8A7F4B3.TMPMD5=F32C6B95D5DEAE205BBA8EA14C5BFDDC,SHA256=4EB778746DC2AD27CDCD1C6000CE7889779A845D1CB44C376D7B18AFA5E89813,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.080{8D4DD44E-79A5-616D-3909-000000000402}46681564C:\Windows\system32\rundll32.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+534ee|C:\Windows\System32\shell32.dll+84812|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.080{8D4DD44E-79A5-616D-3909-000000000402}46681564C:\Windows\system32\rundll32.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+53458|C:\Windows\System32\shell32.dll+84812|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.080{8D4DD44E-79A5-616D-3909-000000000402}46681564C:\Windows\system32\rundll32.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+5343a|C:\Windows\System32\shell32.dll+84812|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.080{8D4DD44E-79A5-616D-3909-000000000402}46681564C:\Windows\system32\rundll32.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+5343a|C:\Windows\System32\shell32.dll+84812|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.080{8D4DD44E-79A5-616D-3909-000000000402}46681564C:\Windows\system32\rundll32.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+c5d8a|C:\Windows\System32\shell32.dll+84ae4|C:\Windows\System32\shell32.dll+84738|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.080{8D4DD44E-79A5-616D-3909-000000000402}46681564C:\Windows\system32\rundll32.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+c5d78|C:\Windows\System32\shell32.dll+84ae4|C:\Windows\System32\shell32.dll+84738|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.080{8D4DD44E-79A5-616D-3909-000000000402}46681564C:\Windows\system32\rundll32.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+c5d78|C:\Windows\System32\shell32.dll+84ae4|C:\Windows\System32\shell32.dll+84738|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000045681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localDLL2021-10-18 13:42:22.064{8D4DD44E-79BD-616D-5509-000000000402}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.dll2021-10-18 13:42:21.767 23542300x800000000000000045680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.064{8D4DD44E-79BD-616D-5509-000000000402}6180ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.064{8D4DD44E-79BD-616D-5509-000000000402}6180ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES97E1.tmpMD5=CA0B8CB2E96AD65A86C9585F3AD98A87,SHA256=8D3E037A65556FF03F6BB392BE668AEC9D565022901368FDF73511F198F27906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.017{8D4DD44E-79BE-616D-5609-000000000402}6196ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES97E1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.002{8D4DD44E-79BA-616D-5309-000000000402}68566876C:\Windows\system32\conhost.exe{8D4DD44E-79BE-616D-5609-000000000402}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.002{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.002{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.002{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.002{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79BE-616D-5609-000000000402}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.002{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.002{8D4DD44E-79BD-616D-5509-000000000402}61806184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{8D4DD44E-79BE-616D-5609-000000000402}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.005{8D4DD44E-79BE-616D-5609-000000000402}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES97E1.tmp" "c:\Users\Administrator\AppData\Local\Temp\zca3frvt\CSC874D57A4F48240AF8DA013F5F8A7F4B3.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{8D4DD44E-79BD-616D-5509-000000000402}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\zca3frvt\zca3frvt.cmdline" 23542300x800000000000000029747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:22.867{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6910B3A8868AE8082471883A3C6B32ED,SHA256=6AD468E63F287E4D6EC91FF5AE26DE34612058FEC9E8C38A498CCE907AD87DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.376{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59069-false169.254.169.254-80http 354300x800000000000000045712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.345{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59068-false169.254.169.254-80http 354300x800000000000000045711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.313{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59067-false169.254.169.254-80http 354300x800000000000000045710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.287{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59066-false169.254.169.254-80http 354300x800000000000000045709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.243{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59065-false169.254.169.254-80http 354300x800000000000000045708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:22.226{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59064-false169.254.169.254-80http 23542300x800000000000000045707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:23.767{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10AFF2875BC9E860BDB9CBBA12ACC63,SHA256=AA5A53E41681DB2F838E94BDF87DBE17E132F4616A5997E596299926BE4F604E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:23.767{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3D987D43472876A70F8F3D230B816D6,SHA256=FAB955005AF77E1D6BD3EEE22DAB8F6EDD09937D445E26E791636DED08C2E487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:23.721{8D4DD44E-79A2-616D-2C09-000000000402}19324780C:\Windows\system32\sihost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:23.658{8D4DD44E-5BA9-616D-1000-000000000402}4961776C:\Windows\system32\svchost.exe{8D4DD44E-79BA-616D-5409-000000000402}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:23.882{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BAC2812EE54E1B7405CE7101EB9966,SHA256=EACA952DF2A87485F3D74CA3CC3D39E831FAA570E481DD18E09A00EE0A9C577F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:21.696{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com52852-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:23.585{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=057CAFAC11ED340CA08405D3679F6DC1,SHA256=77C7DCE431CA256169EC2740B19C5DAC8CC67C160CBC5D0149B6A8405097A001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.471{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10D352F2F05E34D9CB86DC167B66A0AD,SHA256=BFBA8690253565B2A566139DA17D21081AB30A1B903D76A65D01F5047E70D788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.111{8D4DD44E-79BA-616D-5209-000000000402}6840ATTACKRANGE\AdministratorC:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmdMD5=6F31D86A88379966303FF5E580AC09C9,SHA256=D6EC54010FC20FADFE76B05AE3DDBCAB1C3134F462C4ED615C32B571A2930D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-79BA-616D-5309-000000000402}68566876C:\Windows\system32\conhost.exe{8D4DD44E-79C0-616D-5909-000000000402}6344C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79C0-616D-5909-000000000402}6344C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-79BA-616D-5209-000000000402}68406844C:\Windows\system32\cmd.exe{8D4DD44E-79C0-616D-5909-000000000402}6344C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.084{8D4DD44E-79C0-616D-5909-000000000402}6344C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /v DELETEME C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x800000000000000045723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-79BA-616D-5309-000000000402}68566876C:\Windows\system32\conhost.exe{8D4DD44E-79C0-616D-5809-000000000402}6348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000045722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT10232021-10-18 13:42:24.080{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd2021-10-18 13:42:24.080 10341000x800000000000000045721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79C0-616D-5809-000000000402}6348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-79BA-616D-5209-000000000402}68406844C:\Windows\system32\cmd.exe{8D4DD44E-79C0-616D-5809-000000000402}6348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.080{8D4DD44E-79C0-616D-5809-000000000402}6348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-79BA-616D-5209-000000000402}6840C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 23542300x800000000000000045714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.049{8D4DD44E-79BA-616D-5409-000000000402}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:24.914{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05EADD11278A4BA41622FBF21930883,SHA256=B7362FBD777DFE2F2767738EC86FD4BD99DBF68E737AAB4E4E8D3B7A9BA2B03F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:24.031{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59070-false10.0.1.12-8000- 23542300x800000000000000045737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:25.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD8F7E4729F235057FF65B037C6875B6,SHA256=D281D14F8387B75C76B58F105871176786BE65EFD043ADB50192441D0AE50DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:25.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=567755A5A70774FDEF82A5B3177F7872,SHA256=F22428604810FE5C7F88F67184648242E142F63F311819A713F4EE0FCBEF4A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:25.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B87E32E2116564A96A0075881441B4,SHA256=EC456B1B9CD945707D45AC1ACA8174039E3D00F80A7B072A69A15F08ACD9CC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:25.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5B1282396A9D6A4C392C6FE11B075D3,SHA256=8B504860B52C21B39D127C9DAAD6A14443B6F0039C67D0D26C4C1D7BDCA30EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:25.960{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE02B0B918355A3A4DE415AA727816E,SHA256=4D86309F0488682A7F9D30D05C390A98C095D084BA6A2791B63EB83915481877,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:23.741{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000045740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:26.783{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:26.424{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD880D864E82C6FAE43E7DE9B214CC44,SHA256=A65BA36561D12B8D3A42784B04C454A64A5ACF4350B6A8BF381F89D0919D17D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:26.976{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2A1D95B6378C37FC5B63954CA2050B,SHA256=704F1C4536A7275BA141224D0E1D3DE18C9CD4ED72A13474DAE16898B6BD9095,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:24.194{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com53040-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:26.085{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B0A49971BAAEDF3A9B0D3F7D7C2C33D,SHA256=1503C6FEF170C7B4A298D3684956C4DE79A83E4ABC029753F17FBFE524C93B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:27.427{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC198F5D0F00705B1A1F1E89C98FF17,SHA256=C5E3488C183271F563AE2F87BDD0602C54E1B253D6C5B930F5101F44BDEA5538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.989{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.973{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.973{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.973{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.958{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.958{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.958{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.942{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.942{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.942{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.942{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.926{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.926{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.926{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.926{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.926{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8430F002ED36E0A7B630FAB5AE1A8618,SHA256=292E094741BAA47DEE5024C7CCB570D45BAD7FD511AA0C2E62E9950630D27382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.926{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.911{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.911{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.911{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.911{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.911{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.895{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.895{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.880{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.880{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.880{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.880{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.864{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.864{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.864{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.864{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.864{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796D428789661DC27873936552B45556,SHA256=99939175DBAFE36D6911C5D83DC18BDA3F3002F61AB0AFB216DE7381B45764F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.848{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.833{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 354300x800000000000000029759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:26.396{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com53216-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:28.307{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6483880613FA4EBD9BCAFB6673BB19B,SHA256=5F5C57A5694CC0F4A9360CC4756288EB8EF9892E39359A7FEE0B414FD572FDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:28.010{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95B0E956A6153CBD4CB394609681242,SHA256=F3CF19353FDBA9EF61D67E2C25A3D37453C5D9896D7DE06830A177AB470CD170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.817{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.801{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.786{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.786{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.786{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.786{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.786{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.786{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.770{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.770{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.770{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.770{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.770{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.755{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.755{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.755{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.755{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.755{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.739{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.739{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.739{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.723{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.723{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.708{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.708{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.708{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.708{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.692{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.676{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.676{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.676{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.676{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.661{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.661{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.645{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.645{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.630{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.630{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.614{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.614{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.598{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.598{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.598{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.583{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.583{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.583{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.567{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.567{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.567{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.567{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.567{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.551{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.551{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.551{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.551{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.551{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.536{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.536{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.520{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.520{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.520{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.505{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.505{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.505{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.505{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.489{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.426{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.426{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.426{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.411{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.411{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.395{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.395{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.380{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.364{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.364{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.348{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.333{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.333{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.317{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.317{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.317{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.317{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.301{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.301{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.301{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.301{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.286{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.286{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.286{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:28.286{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 354300x800000000000000045742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:26.000{8D4DD44E-5BA9-616D-1100-000000000402}372C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000046030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.962{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-124MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.678{8D4DD44E-79B6-616D-5109-000000000402}67086604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.662{8D4DD44E-79B6-616D-5109-000000000402}67086604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.662{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.646{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.646{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.646{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.646{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.646{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.631{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000046020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.631{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB5A81B039D0F23DC10492DBAF1CBF2,SHA256=7CBCFC27A72539D43DA6ED094CB0C76462745182D0618D7D194B50383232847A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.615{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000046018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.615{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AF125D68631B393A151EBD0429EB78,SHA256=166E88748E49D4924842F190C0BA169D406BF0A91F622859BECF2D2289625CF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.600{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.600{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.600{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.600{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.600{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.600{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.584{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.584{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.584{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.584{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.584{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.568{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.568{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.568{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.568{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.568{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.553{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000046000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.553{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.553{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.537{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.521{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.521{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.506{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.506{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.506{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.506{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.506{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.490{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.490{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.490{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.475{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.475{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.475{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.475{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.475{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.475{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36A487554CB4163B2D9EFF2698E341D,SHA256=5EC0EA57E3E7E55C11BE3FAF0240663B707E15873A17F1EF8CF4A1E43989809B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.459{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.459{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.459{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.459{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.459{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.459{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.442{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.442{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.442{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.442{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.426{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.426{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.426{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.426{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.411{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.411{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.411{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000029760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:29.041{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6622CADC6C15022C8DF3FE6B8B3B7C06,SHA256=C7469901ADCE0E7C248B81CC34AF035FEAA7AB6D4B2AEFA4271BD95294090FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.395{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.395{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.395{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.395{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.395{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.380{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.380{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.380{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.364{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.364{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.348{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.348{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.348{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0262430D1F979551E7E2AD9FFCA5F4,SHA256=C826D18EE8F51379A8F1F60EA9DB637BEE4BE1FFE38D28902992990078A80860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.333{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.333{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.317{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.317{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.317{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.317{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.301{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.301{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.301{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.301{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.301{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.286{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.286{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.286{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.286{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.286{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.270{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.270{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.255{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.255{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.255{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.255{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.255{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.255{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DB04E669E364D3D43E51876A118365,SHA256=94CF0598B6F720EE27BD68173E209250E5BA8AB0FCE24477BCCD3A9EBD5147CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.239{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.239{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.239{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.239{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.239{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.239{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.223{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.223{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.223{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.208{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.208{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.208{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.208{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.208{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.192{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.192{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.192{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.192{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.192{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.192{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.176{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.176{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.176{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.176{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.176{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.161{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.161{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31115964A77F2F9E1F270224D6AAD410,SHA256=D8310C6FC51A3232EA0727CA2BCE3F5B60ECA37FE7F832C12042D305E0DA4BD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.145{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.145{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.145{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.130{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.114{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.098{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.098{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.098{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.098{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.098{8D4DD44E-79B6-616D-5109-000000000402}67086728C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.083{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.083{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.083{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.083{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.083{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.083{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.067{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.067{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.067{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.067{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.067{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000045879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.067{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EDF7DC0A30421C6D00DDDF92B9DB04,SHA256=C0103A2A7D142380E229E505D3535B8B80D62049CCD3F7993CECF0B591B8C745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.051{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.051{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.051{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.051{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.036{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.036{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.005{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.005{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.005{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000045869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.005{8D4DD44E-79B6-616D-5109-000000000402}67086724C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-79B6-616D-5009-000000000402}6668C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x800000000000000046031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:30.976{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-125MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:28.744{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:28.662{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com53381-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:30.698{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57A7D0928B47E7D194AA02F597091350,SHA256=DD65DF4980F17F0918F5D79A86EDFD66FC25106DF175DE7681BDCCA062DA07C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:30.042{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A406AF44FA9A3C2EED95E317E8C5C6A8,SHA256=3A35D759C6D5A8D75D81FDD7109FECAC47A769A0E2DF4BFD7DC1350E15E4F097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:31.285{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B21D2E8932E76F15D1273DA3B2C100,SHA256=65ABE18B6464000AFD7C5E16F4F628AD50EEABB0DE6BC11FD3DC9F42E53C341B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.683{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local65235- 354300x800000000000000046032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.679{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59071-false23.203.80.193a23-203-80-193.deploy.static.akamaitechnologies.com80http 10341000x800000000000000029778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-79C7-616D-E806-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-79C7-616D-E806-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.479{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-79C7-616D-E806-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.480{6F8252D3-79C7-616D-E806-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:31.057{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECFB87B4D742FBBF0B5461844F4FD29,SHA256=F7C1F79C2C5DC53A83EB4A4D5A2C7B9EC7BED10EAB21E337985F45EF1DE1BD6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.925{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59076-false10.0.1.12-8000- 354300x800000000000000046039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.762{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59075-false23.203.80.193a23-203-80-193.deploy.static.akamaitechnologies.com80http 354300x800000000000000046038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.743{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59074-false23.203.80.193a23-203-80-193.deploy.static.akamaitechnologies.com80http 354300x800000000000000046037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.726{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59073-false23.203.80.193a23-203-80-193.deploy.static.akamaitechnologies.com80http 354300x800000000000000046036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:29.711{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59072-false20.86.173.234-80http 23542300x800000000000000046035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:32.086{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589AF68557FEC3C57ECD48F38671FCFF,SHA256=6AB37BBF7C012591ABA340EA60DF911C5206C01C1288D3E3BCD978E4C0AADD87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:30.722{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com53537-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 10341000x800000000000000029807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-79C8-616D-EA06-000000000502}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-79C8-616D-EA06-000000000502}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-79C8-616D-EA06-000000000502}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.823{6F8252D3-79C8-616D-EA06-000000000502}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.495{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5B0081F5EBC73DB29D86D14E7EC9CCA,SHA256=D9CEED5858AE3B06D29C7B669EF006E2262AE06C4A6AE59F9EDAB159F00AAFC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.291{6F8252D3-79C8-616D-E906-000000000502}9123268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-79C8-616D-E906-000000000502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-79C8-616D-E906-000000000502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.151{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-79C8-616D-E906-000000000502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.152{6F8252D3-79C8-616D-E906-000000000502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:32.073{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E9D0259DE92C7823A551C521EBDC1E,SHA256=8D7AF7AA7B0DF8EFABA924D7360B8871EA607BC549EC8EF37E2F568AC2686800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.838{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13EB0BD84F207881DC4F005847394A26,SHA256=2F5BB13FF877ACE27D5074342FA9405965FAD693CF2B1F536221A28338EE7CCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.729{6F8252D3-79C9-616D-EB06-000000000502}3036996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-79C9-616D-EB06-000000000502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-79C9-616D-EB06-000000000502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.541{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-79C9-616D-EB06-000000000502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.542{6F8252D3-79C9-616D-EB06-000000000502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.182{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4B1FFF4AC1E961BAB04AAB8CB8788D,SHA256=E7DCE984291384143551A637E9BCB3AEB8DB9A1AD4BDDE1B7BC641D6576DA648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:33.179{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A5CB22E1DE7B1B871C88A8A02E749B,SHA256=F7D2773106C009422BA00FA27BDF77E0A5199D2096B69BAF6DAA6C38D98D4B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:33.179{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA67F5018F8D770154FDB8052F2997B4,SHA256=9BEF8FD1A2E89F57759038020A8451B49116C850262ACAA53ACA596B29B8E1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:33.101{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CDEB19EFB3ED381A7A341910594FC6,SHA256=00164C0332330DE7AE9DC3B4DD68D5A73438F39119DC1540484F72868FB233E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.979{6F8252D3-79CA-616D-EC06-000000000502}27241196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-79CA-616D-EC06-000000000502}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-79CA-616D-EC06-000000000502}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.760{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-79CA-616D-EC06-000000000502}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.761{6F8252D3-79CA-616D-EC06-000000000502}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:34.213{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBF7D45A02F255383CE3D5FEC077BA5,SHA256=65DBFE34F42952F59BDAC356775597AD5FA1DD82FCD6D66A542B73B3DC6F8F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:34.117{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C3B7FDB328BFF569D3309DF362AD4D,SHA256=2738CE8A3C392D09C1720F519D441042C4544B47A2B3155CDA32B2CB1CCF4A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029868Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-79CB-616D-EE06-000000000502}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029867Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029866Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029865Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029864Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029863Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029862Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029861Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029860Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029859Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029858Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-79CB-616D-EE06-000000000502}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029857Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.932{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-79CB-616D-EE06-000000000502}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029856Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.933{6F8252D3-79CB-616D-EE06-000000000502}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029855Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.276{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771754AB21E1BBE31D5311880B49E4D2,SHA256=2051CCFFA00E9205473B3BF26DDCB8AB958901A4C5394505A63E791122C3FFF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029854Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-79CB-616D-ED06-000000000502}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029853Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029852Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029851Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029850Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029849Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029848Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029847Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029846Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029845Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029844Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-79CB-616D-ED06-000000000502}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029843Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.260{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-79CB-616D-ED06-000000000502}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029842Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.261{6F8252D3-79CB-616D-ED06-000000000502}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:31.990{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59077-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000046046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:31.990{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59077-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000046045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:35.133{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F22EF11C8C595B72AF86B011BC98B64,SHA256=D7EFADAC550491EC1F6E5B2C534CAA3C39BAFEC06868128B12185C1966C19579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029841Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.073{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B6EF7A62A11C8A4818232FC59F8478,SHA256=E99F32A220177C17248B7E2242D5B4FA642981544FD29D51F8780C329619AD14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029840Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.160{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com53726-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 10341000x800000000000000029890Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.729{6F8252D3-5DBA-616D-1500-000000000502}10441392C:\Windows\system32\svchost.exe{6F8252D3-79CC-616D-EF06-000000000502}2108C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029889Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.604{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C5EA43893EFAD94F72606B9A83BEA3,SHA256=C4693ED11BB395CBB18B1E188D814153BEC3DB78BEB3A6BF3542256CDEBA1C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029888Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.604{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C90DC9DA3DF74CD61ECDD4D7E0E7779,SHA256=D84A3B89156FB64EE53699D489B9084F76128C8B283C1E78D52921A44BEAF939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029887Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.276{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B5E5D6BDF56FE047A530B54836BC3B,SHA256=E85050D8D935E8D2A90AA4CCCB8827FB69CE075E57DAA42E1088E46B56BD97C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029886Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.260{6F8252D3-79CC-616D-F006-000000000502}38282728C:\Windows\system32\conhost.exe{6F8252D3-79CC-616D-EF06-000000000502}2108C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:36.742{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000046049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:35.021{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59078-false10.0.1.12-8000- 23542300x800000000000000046048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:36.148{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C48A22B7D48B7A79DC6FF6A17E1363,SHA256=89CF2307E36C888B4313BE3BD4191D8170748636AF939912152D07402BF7F581,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029885Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.229{6F8252D3-5DBA-616D-1500-000000000502}10441392C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029884Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-79CC-616D-F006-000000000502}3828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029883Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029882Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029881Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029880Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029879Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029878Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029877Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029876Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029875Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029874Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-79CC-616D-EF06-000000000502}2108C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029873Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DBA-616D-1100-000000000502}960496C:\Windows\system32\svchost.exe{6F8252D3-79CC-616D-EF06-000000000502}2108C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029872Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1100-000000000502}960C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029871Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.213{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1100-000000000502}960C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029870Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:36.104{6F8252D3-79CB-616D-EE06-000000000502}11203028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000029869Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:33.792{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029891Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:37.323{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24155A14B25E1292D3D1DFF37AE9C7CF,SHA256=E599BEBF41C0BA7129A0D9E4BE77C01F1B7E1420F7FB3600C5313AC8BE85AD58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:37.164{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0A7E98E8945E2B00A779E55CE2F7B3,SHA256=B771D0C2D8D28496F3C034D9797C52F75C636F554A158C4F95F2171D166F8D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029893Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:38.354{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FC3065761E8B2B3D9A9D21D56559E2,SHA256=CE0A2F76AAA855F3E1E8E79D5E0294AE911874BD0FED71E0F8C8D0AC688DEBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.773{8D4DD44E-79A2-616D-2B09-000000000402}4384ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.dbMD5=E252099574D931D472E462A557EFC6ED,SHA256=81FD4B68536F489B5B3C03733E514E430E834260F0AF51169770CAFABDD541E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.414{8D4DD44E-79A3-616D-3609-000000000402}48002836C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.414{8D4DD44E-79A3-616D-3609-000000000402}48002836C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.414{8D4DD44E-79A3-616D-3609-000000000402}48002836C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.414{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.414{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48005036C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48005036C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48005036C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48005036C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.398{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.383{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.383{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.179{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156186447602036C53FDACC20D400D07,SHA256=1D69DCD15D6F584FB9314DEEA433A7920C1E0BE0F880AF2615FFBF4D3E223DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029892Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:35.176{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com53869-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 10341000x800000000000000046060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.117{8D4DD44E-79CE-616D-5B09-000000000402}69326948C:\Windows\system32\conhost.exe{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.101{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.086{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.086{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.086{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.086{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.086{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.086{8D4DD44E-79A3-616D-3609-000000000402}48006828C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+3d503|C:\Windows\System32\SHELL32.dll+3d3cb|C:\Windows\System32\SHELL32.dll+3cce7|C:\Windows\System32\SHELL32.dll+3c9ac|C:\Windows\System32\SHELL32.dll+122487|C:\Windows\System32\SHELL32.dll+1223e5 154100x800000000000000046052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:38.089{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000029896Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:39.370{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C72CACF63385C6E46B691A0D31D3C1,SHA256=BB22F2068485973CFA7EECB06A4FAC0EEC08E8377D955269F7CC07D4CEA75B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:39.179{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3D7F8208FBB4355DA77C59A10053AD,SHA256=BA2188DF2D0091E248FA84A6606ED71DA119AA96EBD8A076EEE137C9F321F1DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029895Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:37.206{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com54036-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029894Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:39.104{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDBD2D010ECCF724595D8D1C01017284,SHA256=D94AFE29475812CA08918F4D770871255C9E1FE7D92C561AB62B2816DA533391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:39.117{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D40A030AA50BBE35C246CBEB1508D799,SHA256=6994190F0717F715416979C562901BC9C6E2E27ACB4DF47393E3F35630A9451B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:39.117{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A5CB22E1DE7B1B871C88A8A02E749B,SHA256=F7D2773106C009422BA00FA27BDF77E0A5199D2096B69BAF6DAA6C38D98D4B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:40.195{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA986B26D81DB75097EA487424E5E563,SHA256=7FBAF450410686018BA2C66F2EF051DC6D6921BB38CE8A1ABFEB77E088D9DC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029898Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:40.807{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B0ADD913E97D783F8791511FA452B6F,SHA256=8A12313E44C6F555228D9C432E3C5869D6529013DD3E8C16CEBB720BF96B0607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029897Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:40.416{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE0CC111542CA1646D9306484A3DF11,SHA256=EA65548474286E136BEAFE872CB1BECB797D09E9BF69B6874D7EAAD912E8E013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029900Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:41.463{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B027CB222FB822532870B5EB1C8DFE6,SHA256=FB5A543DC1F5BB1CB07A7ED62D3A25DEE4B319FFEE8B7DC4286D3C86B25CEE57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:40.052{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59079-false10.0.1.12-8000- 23542300x800000000000000046082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:41.211{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACCD173845A6DF7C62015F451198068,SHA256=9618C63B98F0F2F52786F0E45165EF549D37BEA951E3A082E02C880A6E4D6723,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029899Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:38.908{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com54176-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029902Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:42.495{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A36A66B54187506E717FE8BC75BFB17,SHA256=C294FB254E7EE5204B3E9AC3FD4BB3FD48516ED4C5183AB88B5A0AAB8B489438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:42.226{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851164207E4049D86630B7A780E1CF53,SHA256=5278AD60BC430E7E428970BA2E1756FDAB824694B89C0D2800DA1C5544C646B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029901Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:39.806{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029905Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:43.557{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0111C6A65A5CBF2D8F43F655B7290F,SHA256=1B68C2F9DCF23D924C098FEAA62F412093DA48056631AABADAA056B4F2A87C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:43.242{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33387AE8D15AF92C69C7BE6067A3348,SHA256=950936A64B1325FFFFDC9B6873F34E6C119804087ABD81278FA19A25570761F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029904Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:41.457{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com54374-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029903Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:43.338{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4BFC77ADA6A8AAFBE1E2C09FA25E879,SHA256=57C89DE7E16446F298C45D792617538E9A1AAA9C70F600BD39A232EE7FA97383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029906Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:44.604{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5318ACD18119F03F5F9A1B5F45C886,SHA256=7F85632727D6FDF6963DF757A169A4613DCD37F934019B826B1319D7ABE318F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:44.257{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899ABCA5F6DAA9A0AD56D2C6EE975A47,SHA256=7305D832C5E4768B2006D8029FD287B888ECD570FF3AF5A95B43835EEC3EBB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029909Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:45.635{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5EF08B12E0BCB26F199DA638FD6D52,SHA256=865D382007C20AEA69E1AB6FCE7120361912E181078230271202CD63427AD550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:45.273{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DBC449DE439AFDC320C17A2A986C67,SHA256=FE2016EAE395CEC14C6194B5A93B5409C8EE5CF3AC9573F7B882930B9EB9466A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029908Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:43.360{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com54516-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029907Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:45.260{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B56EE02FC8649246B802BBCECF9729D1,SHA256=E0543139DC5A034EA4654380186A04125A76B67499D2958C23EE17BEF8A1D14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029910Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:46.651{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77E3FB456E46EC7C6491DE33CF4E70C,SHA256=575EFA3D06E740251DB0CD83E8D8A8B59D8A09A5F25A28ABCAA134DDA64476EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:46.289{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880866F9E37D702C15BE51A740A47065,SHA256=FCCB0DF7F4EECEAED477F251E7AA98A625D95EDEC5C5DB9E3016626F01786001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029912Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:47.665{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52484B30EE47539E15A8EA3968A5A7E,SHA256=FCF8B6B2142E464C3923BC90F7B7598B2917BD2A9A087F4234E44BCEB7DD9CA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:46.083{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59080-false10.0.1.12-8000- 23542300x800000000000000046089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:47.300{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91938CD2D35AE671D07A56E53821E5A1,SHA256=7359595B71BEE5FD1C3F179C747A62DA46C5BA09FCDC79FFD66351E28C57016C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029911Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:47.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09EBEAB109E4C9B1E47BEC3595FE3C9E,SHA256=12CF1CE241161A8F839FBC996445581EC4E729C555577CA8C45250D62F24C64D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029915Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:45.603{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029914Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:45.541{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com54682-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029913Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:48.681{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DF2630BE03B2D1B4DBF2A36AA0A04B,SHA256=9395EB049505184831B8DE35F04D7D4F2B19BAF159FADDB2749639CBCF0818BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:48.316{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A5427405D3BF8D972D61348B16CCBD,SHA256=C3CD0312CAD2BD32F5B1DB96B122C9B8FB466215D198EB9F8BF650D2859F4E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029917Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:49.993{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21501C9F56427AF41787881CA615BEEC,SHA256=CDD0BD117B89617D93E239B1E22B75031462438D004F59620059897C80E5FC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029916Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:49.696{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E243E4C879B42CBEED1A2263391AB09C,SHA256=442C8190E4468B476F159F125027370EC92F8DAFEB973C9174F34B65D59B5DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:49.331{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FC465DCB92A8402D3A1BCBF91D108A,SHA256=FDE7870BD46353D71DC8436A54BC9CFE9888C04F5DDD5E7A340BCE4F5386B183,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029919Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:48.078{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com54872-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029918Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.728{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549D8B2850FCF6F6F8A3F2299598D501,SHA256=9FB829AE20AC465738CB955B300FA52E105CEB947FC92CFFCE778400EC41AEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:50.331{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B7145233D74607D2EAB1F5F60A678D,SHA256=A5EAB03FB330A05D0B0B2C483C44E2D95A8DB7A56FC44F3356F9EEEB48D49B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029948Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:51.869{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E7E681083DB2E3C4000683F07E80588,SHA256=2363D5C0CE896CF9BD76A64B95B1D7653DFD6B3CA85CF8457D73E7057247F2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029947Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:51.744{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3695BDF086143B8494F0488AD9FB8AB8,SHA256=666AB94A2F77315F261DD524FDACF4C2ED9E13B28E370765F5FB3486A6670C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:51.347{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3963071B045712B940DD028189561898,SHA256=8CF263AF8E93C58F33FB5A8BB33220416B47E7BBF6E49AC205ECC46971798DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029946Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:51.701{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-116MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029945Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:51.651{6F8252D3-5DB9-616D-0B00-000000000502}6281768C:\Windows\system32\lsass.exe{6F8252D3-5DB7-616D-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x800000000000000029944Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000029943Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000029942Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000029941Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\FlagsDWORD (0x00000002) 13241300x800000000000000029940Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\TtlDWORD (0x000004b0) 13241300x800000000000000029939Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\SentPriUpdateToIpBinary Data 13241300x800000000000000029938Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\SentUpdateToIpBinary Data 13241300x800000000000000029937Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\DnsServersBinary Data 13241300x800000000000000029936Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\HostAddrsBinary Data 13241300x800000000000000029935Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\PrimaryDomainNameattackrange.local 13241300x800000000000000029934Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\AdapterDomainName(Empty) 13241300x800000000000000029933Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\Hostnamewin-host-470 13241300x800000000000000029932Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B1DE730-CA30-4A41-B606-BD4FC12BF0FD}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000029931Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000029930Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000029929Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\AddressTypeDWORD (0x00000000) 13241300x800000000000000029928Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\LeaseTerminatesTimeDWORD (0x616d87eb) 13241300x800000000000000029927Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\T2DWORD (0x616d8629) 13241300x800000000000000029926Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\T1DWORD (0x616d80e3) 13241300x800000000000000029925Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\LeaseObtainedTimeDWORD (0x616d79db) 13241300x800000000000000029924Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\LeaseDWORD (0x00000e10) 13241300x800000000000000029923Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\DhcpServer10.0.1.1 13241300x800000000000000029922Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\DhcpSubnetMask255.255.255.0 13241300x800000000000000029921Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\DhcpIPAddress10.0.1.15 13241300x800000000000000029920Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:42:51.276{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b1de730-ca30-4a41-b606-bd4fc12bf0fd}\DhcpInterfaceOptionsBinary Data 354300x800000000000000029958Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.832{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-470.attackrange.local56503-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000029957Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.832{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c850:3789:89a7:ffff-56503-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000029956Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.832{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c850:3789:89a7:ffff-65131-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000029955Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.831{6F8252D3-5DBA-616D-1500-000000000502}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:5457:ad64:cb05:3bd5win-host-470.attackrange.local65131-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000029954Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.821{6F8252D3-5DBA-616D-1300-000000000502}300C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-470.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x800000000000000029953Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.617{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029952Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:50.382{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com55054-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029951Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:52.759{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868DCE714BB30B4AC1A7F227A035250,SHA256=1A3F605D14BCD0AF3C9F000B1A21928EDA62040FA56A40B8679F268177EA7D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:51.519{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51334- 354300x800000000000000046099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:51.155{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60297- 354300x800000000000000046098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:51.153{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56503- 23542300x800000000000000046097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:52.675{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1B231F72B09624B79647CC865005DA6,SHA256=547A1861D89AEB50BE8F35EFB846B97C102A569C1C91B5C6CE8EEB796004CB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:52.675{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D40A030AA50BBE35C246CBEB1508D799,SHA256=6994190F0717F715416979C562901BC9C6E2E27ACB4DF47393E3F35630A9451B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:52.362{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E999C681104BDEE43E7A9843AA0A3B71,SHA256=093EB291EC058A045CB1BCC2B2AFB9F6DEB9686FD3663791CD8E9C16D9F597EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029950Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:52.713{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029949Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:52.260{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B929BE73AE055315E9384FF1CA38ACDD,SHA256=1E16CD6DF76C947B99D3F716089DEF9DDA0C2F6E4F8B4E59EB34567EF90FD299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029960Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:53.808{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5CD3E75754EA4711ACBF8DA50BE51A,SHA256=EA69C05B76E37B9BD186C2CF56CCF8D5EE98555F994F490183C70A746B4C8381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:53.987{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:53.987{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:53.987{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:53.987{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:53.378{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D5D8E3C8C0BE89A8F735D9AC664662,SHA256=1B7C42E788251918B5DB8389A5CED31426F05B4C23AA0167C5D0C3E57B42F267,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029959Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:51.200{6F8252D3-5DB7-616D-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51187-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 23542300x800000000000000029962Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:54.809{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF67BD565D5AB9F6106049CD00703BBB,SHA256=11F0A4EDF8FD31E3B70C1BA4B932D70C79AE5F037EB414EFDA81CD8E5522BD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:54.394{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5658780B6C78D19B3AAA7574350A40,SHA256=675F3BA552640E4249EF69EA0A3611FCDCCB65D268A32702AC5B1541170129EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029961Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:54.214{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FAB1D9F115B6E0FFE24D8C69D1E15D8,SHA256=56F324F63894D5FAC16A443CB12F69AD54B5A1E844FBF645036BD3FB1B3E6796,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:52.533{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal65222- 354300x800000000000000046107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:52.079{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59081-false10.0.1.12-8000- 354300x800000000000000046106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:51.521{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51187-false10.0.1.14win-dc-185.attackrange.local445microsoft-ds 23542300x800000000000000029964Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:55.825{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEA4BAD9048ECD9F51FC6BEEC3F4B1B,SHA256=55CDCD26206CF936E148A953E5F78C77172D11E1F65E462A8423538336CB27A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:55.394{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD0A384336A997FC2F34FEABC6108DB,SHA256=030ABCA90A917A52C658146B1B1C3039A614B5DCFC7FCF8CD55B94AE1C7BD4A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029963Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:52.322{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com55205-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029967Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:56.856{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA950EFF5AAE590F39AFA2445DA18EB3,SHA256=FCB5D45A31B070ABAD93C21AEA5459D46C7BA730D45B8283A207169F3DF7EFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:56.394{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0D6E8E689A91C896FD5D3964831687,SHA256=1A28208BDF9DB79C41C834B1C4DA5C501855D9548566AB75408C06FFED223856,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029966Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:54.375{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com55357-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029965Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:56.278{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B05A235641BA65300531D743F570E122,SHA256=D5EA2D5ACF85B1A3550AD9701E723759A113BC90F4741E3BA1395A68E3357A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029968Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:57.872{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE870A7F64AAF8CFDCF1984AAD5374A6,SHA256=187742EBD5A2915FFBC8AAD36ABF909FFDFA5CA494F804E9B14DFBDC64C982F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:57.784{8D4DD44E-79A2-616D-2B09-000000000402}43845516C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000046114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:57.784{8D4DD44E-79A2-616D-2B09-000000000402}43845516C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000046113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:57.737{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:57.409{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F50017B4A9EFC9099F1B9D18768E3D,SHA256=6F2EB8F92897318171122226C6AB434F02747D80374254D57C1D760067897160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029972Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:58.887{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA1583EEC20EC1E69023B3BFC49663C,SHA256=5AC88C7E9914DBB01C603E47DA061DAC2F4023CB9680485D4FF20F33A409E1B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029971Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:56.785{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com55543-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029970Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:56.589{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:58.425{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0498253BD02F0F5A8F5ADFFBD252BC7A,SHA256=E996001F41E77B2B1BF0FDE0A473CC3F688D16D63A61B3C1D4AC510A8C6D3AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029969Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:58.668{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C262636E05CB63B00F3B6B377E67205F,SHA256=14136DF5F3C003BAB61E8100C9156674FF7F8623CBC85F527CC2688836D8534A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029973Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:59.903{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A26929C23A7C2874CFA35E1DDB578,SHA256=D25D1726A98CF963F80F4BB908322FF08453C46FA9409AD32FD55866140703E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:59.441{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD588C3CEEF44842CD8ED89B1DAF7F3,SHA256=19D82E408D179CF594E892561B5FF39696B42C93F62F96B9152E386715C28E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029975Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:00.950{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2554694603ABEB0477A38416DD63B877,SHA256=6309E007D6DB81C2CD1F867BB2A0FF05DD9361F7A43B14FD9FE75912D61422BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029974Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:00.918{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F669168B1D4E2E01D312522B0BE4EB,SHA256=C9DCFF22F9A8E57C59D8D52A5AF9BAF1160B6E711BE96D9E98603355ACEF3376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:00.441{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80897FE31C3F4A9282DA6584D9FF77E,SHA256=CBD6392E80E89322FA5536357DAC0DF2EA52B58A68A589A1E3624E0BEF17047D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:42:58.017{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59082-false10.0.1.12-8000- 23542300x800000000000000029976Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:01.934{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE542AA69C5ACEAFB935DDCC5FB16B14,SHA256=74EDF96293B74CC1723DCA8BF9D57646FAB00A6DA302FC987E7B1A95CAD37535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:01.456{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620DBD7A8047EECBACB578714F3C50CB,SHA256=ADDDCFD3DB5B52B0C0C7F6334A5AF750BCFA9065A653FB89C728A4AEA05F5EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029978Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:02.965{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0839721D3EF4A5526FD64F36BD35BC,SHA256=56990A1218A05CB7F80C7953D7F95FE56055EF8C1F2C2AB9417044EC3AFC403D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:02.706{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C112C02F7E3B744748B30779338B6318,SHA256=CE6352CF2BEB18F0139EA9C440237830B68A9D60F7174619071E4F2266952887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:02.456{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524FEC89CB9753D05388223772324815,SHA256=53D2B9122AB2EB020C38ED3FBF019C634C3D0D9190792FE714F8A9AF0EF05784,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029977Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:42:59.045{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com55722-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029980Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:03.997{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CEF26551F06B66D0A48050530844A5,SHA256=A07055241774B1A82B524118FB7E2DDFC1DDB4606CF815745DA6AC6740AF0DAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.956{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-79E7-616D-5D09-000000000402}6044C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.956{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-79E7-616D-5D09-000000000402}6044C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.878{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79E7-616D-5D09-000000000402}6044C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.816{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-79E7-616D-5D09-000000000402}6044C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.769{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.753{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.753{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.753{8D4DD44E-5BA8-616D-0C00-000000000402}8482200C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.753{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79E7-616D-5D09-000000000402}6044C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.753{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79E7-616D-5D09-000000000402}6044C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.765{8D4DD44E-79E7-616D-5D09-000000000402}6044C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{8D4DD44E-5BA8-616D-0C00-000000000402}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.706{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79E7-616D-5C09-000000000402}5860C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.706{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-79E7-616D-5C09-000000000402}5860C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.690{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-79E7-616D-5C09-000000000402}5860C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.675{8D4DD44E-79CE-616D-5B09-000000000402}69326948C:\Windows\system32\conhost.exe{8D4DD44E-79E7-616D-5C09-000000000402}5860C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.675{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.675{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.675{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-79E7-616D-5C09-000000000402}5860C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.675{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.675{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.675{8D4DD44E-79CE-616D-5A09-000000000402}68606888C:\Windows\system32\cmd.exe{8D4DD44E-79E7-616D-5C09-000000000402}5860C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.673{8D4DD44E-79E7-616D-5C09-000000000402}5860C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /DisableC:\Users\Administrator\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.472{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CAD08F5FF1DEFA5D83824C4188D5CB,SHA256=765C7E1C3F91A83032D3DF82FDC4FE0DA0CB58CAD32D56FD35E8351FCA9D1B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029979Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:03.794{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D6C7BE924C56B24A448B14243BD152B,SHA256=30492AA7DFDCA6FEE9DF6E2DDF40DC99C911F1924ED7A8EDCD1DF20F09C28510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.456{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67047D4756BFDCD099E0305A910CCAC3,SHA256=3EEBC19E318631FCEBA983FE8D3A02EEC71155AE4CDC63BF98FA4BBEE2762E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:03.456{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1B231F72B09624B79647CC865005DA6,SHA256=547A1861D89AEB50BE8F35EFB846B97C102A569C1C91B5C6CE8EEB796004CB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:04.691{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67047D4756BFDCD099E0305A910CCAC3,SHA256=3EEBC19E318631FCEBA983FE8D3A02EEC71155AE4CDC63BF98FA4BBEE2762E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:04.472{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB640B688C5F6918D20E6D7051BC162,SHA256=63DF8A64E66120F2BB4C0F22FB822D6DF55EF14FB50F0D1514CB397B5C6CAA77,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029982Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:01.886{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com55925-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000029981Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:01.761{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:05.487{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF2A73ACA3B6360893E280065F65C3E,SHA256=8251707D29E30F80DE8DBAB88306C6C8ACDE053096D04BE626A74B6754DDB875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029983Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:05.012{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03201242DE12814ADE9CED0F3E3669B,SHA256=9CE30AEA3813BA45C5F41D91B045594821494D3DCABB1708AD01E0D3B0A609D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.503{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64615BDD9D943E3DFDD0592CD03C0B44,SHA256=79FFA7C32CEC7241045F867E09BA85C6278CADBF276014D7751D73BE96056794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029985Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:06.450{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69B7DB99308C16A635589E196096BF6,SHA256=4055D8B0C1AF902C828C707B2BB5F1CC8299D4D468F1384C61410A2A319280AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029984Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:06.028{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607630EE9FF24EF1225B5990509BD5CB,SHA256=383C3681FCA4C693C729DC7556FC068D8EA1129794FC9AF0EAA40B9A40F38C7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.362{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79EA-616D-5E09-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.331{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.331{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.331{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.331{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.331{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-79EA-616D-5E09-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.331{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79EA-616D-5E09-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.332{8D4DD44E-79EA-616D-5E09-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:04.063{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59083-false10.0.1.12-8000- 10341000x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.988{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79EB-616D-6009-000000000402}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.988{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79EB-616D-6009-000000000402}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.988{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79EB-616D-6009-000000000402}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.848{8D4DD44E-79EB-616D-6009-000000000402}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.800{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.503{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C9DC6EB083AC41947ED18D25FC2498,SHA256=5DDFBDE0C889F98245F10247E64E2A4A187F3BE713017B17DD197D4257FD7688,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029987Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:04.544{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com56139-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029986Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:07.043{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D009A54B4D114AB150C0BC086EBD60F7,SHA256=E48853BD442D9FA8890CB2F2A7ACD45582C030968527E151E0ADC21FE7A5D0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.488{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=790C651336F87D4F80649C37365C7301,SHA256=478829E37CEA44B941BA84FDBF182861E62AC69A075D54E1482826F5C03549E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.128{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79EA-616D-5F09-000000000402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.112{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.112{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.097{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.097{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.097{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79EA-616D-5F09-000000000402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.097{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79EA-616D-5F09-000000000402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:06.957{8D4DD44E-79EA-616D-5F09-000000000402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.957{8D4DD44E-79EC-616D-6109-000000000402}70167032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.878{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=126198367964815FF4E7A9AB8D04201C,SHA256=9E829D7DDFCFD246BC22D75E1727C038886E8FF2C450D5ACA2D0B6ACF93F649C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.738{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79EC-616D-6109-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.738{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.738{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.738{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.738{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.738{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79EC-616D-6109-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.738{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79EC-616D-6109-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.739{8D4DD44E-79EC-616D-6109-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.675{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488074849EC4976FBFB1134FB1DD551F,SHA256=E39ED173B1BDB27B7C4E9A894B25854D2D99668BEE94296A3294FF26A748E7DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:08.300{8D4DD44E-79EB-616D-6009-000000000402}63766388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029990Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:08.759{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ECE9C1CEF18FCB388C6672D7D43D52C,SHA256=C8D1BC039A023CA3C27E61A48429AACABE4397B7414E0FEF74559B7F9E13859E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029989Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:08.462{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029988Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:08.056{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70DED90F1B3013F0404D5E1A2101255,SHA256=B0C7D7D1FF7F83C9CC75902C53D77E50B2A013B9F24D3BC612AA86508AC34D1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.988{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79ED-616D-6309-000000000402}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.988{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.988{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79ED-616D-6309-000000000402}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.988{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79ED-616D-6309-000000000402}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.989{8D4DD44E-79ED-616D-6309-000000000402}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.722{8D4DD44E-79ED-616D-6209-000000000402}69565780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.691{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31BBD3AEA47F9E566B4F67F0DD27A8,SHA256=60B903E7ADF1BF0BD17AEE38A833ED2D97D2F4F74467C19A4101633B6BC6A5D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029992Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:06.881{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com56320-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029991Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:09.071{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7874A373290430BBDA690342470CDAF8,SHA256=2687CF4C5B7CBA9136C3E80824412CC7C48FEB49319947E5AE9A1B8A1B881129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79ED-616D-6209-000000000402}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-79ED-616D-6209-000000000402}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79ED-616D-6209-000000000402}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:09.488{8D4DD44E-79ED-616D-6209-000000000402}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:07.661{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59084-false10.0.1.12-8089- 23542300x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:10.691{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF575F0A30F60069F4AB5454EC35C16,SHA256=45D92D372EE73EB0AFC4B703DAC3123DB9E54A6C57870720217B44079726936B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029996Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:10.696{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F4A6294F4DE7E1A12D7BEDEFC679DCA,SHA256=C78A5E223E084BAE91CB9F45AB6D301CBAEE6F38845FDA57B841C9E21DBA40CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029995Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:07.992{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000029994Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:07.757{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029993Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:10.087{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DB9041D673E5CB0A1FC2B69503D4FE,SHA256=C4C27FC7A558CDF4A5A43D633ECDF871A62448294632EF758C1F69D3611D11FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:10.503{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7837F2C36DE8975133756F1C7C9FA38,SHA256=098617063729D12FA58798935B39C9864C9AC7919B1FE6B1E89C745A07C26BF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:10.238{8D4DD44E-79ED-616D-6309-000000000402}69046332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.847{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-79EF-616D-6409-000000000402}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.847{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.847{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.847{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.847{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.847{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-79EF-616D-6409-000000000402}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.847{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-79EF-616D-6409-000000000402}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.848{8D4DD44E-79EF-616D-6409-000000000402}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:11.738{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC79779D61AF9A70F0619D7A7A8A062,SHA256=D3A80ABC8606E7770798A357718012408510CBFE0662E10182424B2BA14DD083,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029998Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:08.805{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com56463-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000029997Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:11.102{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38FFDAFC8DE7DBED614CB1430FBEF65,SHA256=3605C42FCAD696055182C4C922F572F36F155782662AEBC61D0BBD4F69965756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:12.878{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=995C5E90B46A8B4C63011391A16567D3,SHA256=FB51A271C5352C4BBA928D962787D66D15550969190E1E987CA4E0304267062D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:12.863{8D4DD44E-79A2-616D-2B09-000000000402}43846084C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:12.863{8D4DD44E-79A2-616D-2B09-000000000402}43846084C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:12.800{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19BC96180231D4808386DF9EE487B65,SHA256=79C89EA9F11E5F7159239CBE78CD9B1526BEFECCCEA26ECF9BF7FD086546768E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030000Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:12.821{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D113839819717F1273B7FB2DD79769B6,SHA256=453FEC1B94410D961E14B93735627A334A749E9B9CB5C8F4CEF15E891BD16932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029999Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:12.118{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76AC88451085FED60A3B48E35C10C52,SHA256=D1277EF30FC3022A7183498650199C5273FDDC84E950C4A8C3C52845C2528D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:10.048{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59085-false10.0.1.12-8000- 23542300x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:13.847{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF99146B5F91938F61143B53A1D44A8,SHA256=E27A2EB357EB1B8341F9FD42C74C94D80E6D9F0BEA5C494C53E7DBF5231A335A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030002Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:10.938{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com56632-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030001Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:13.134{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0895F3CEF2FFF3559C1FD1F0CC4DAC,SHA256=C2C21F928AC9A13199C1BE77B14AFADD0B91965AA112FF91304214196649921E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:12.150{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-185.attackrange.local59086-false20.199.120.151-443https 23542300x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:14.910{8D4DD44E-5BA9-616D-1600-000000000402}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=62D157F0D672E66959D6C671A190EE8F,SHA256=4580A9F5F5EC916CBF33579A31C7103B4097E137382B30414F929016170F1412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:14.878{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8653D8B7AE34F20D53E4704913F5E67B,SHA256=BC9E5266713386E5D6E3EDF989C6E8CC95F370BE56F017F1AEDD2989E483AF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030004Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:14.978{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33EEF3815EE1CB34FEC147817C123615,SHA256=6FE190C0E4206B39306EE368364FBC29C036FA846E3EDAAC9D4A87491BD1BF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030003Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:14.149{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D718E55B01093A82048AFB70546AC5AB,SHA256=9B2ED6B58BCA9853470397D54D6EEFFB365B3F388944EA968658833DD7B21B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:15.972{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5DAB1299AF795E4F2045978EE706FEC8,SHA256=8C0631D1D9EC1BD05744B72B8F4B2C654F84F7A72B08FF42E96836021F328BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:15.972{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8BAE93D2A84422E5C91ED5381EC452BA,SHA256=4EB1C2133B4F53895CF3A5B42A33B1B858846489EF603AA87B87271C80F9D775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:15.894{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9AD28D20A87267F4DDAA40F40EAA5AB,SHA256=7EE2F8086C0AE7DE54F87830897AAC7DE15FA63B9E73A3485F713CCEE1533A7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030006Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:13.084{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com56788-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030005Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:15.165{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41A4FF722E2A709469A67476204381A,SHA256=F255775F7E5DC5568C01FB118CC76FC3FDEAFCC3EC94CA518BD11530BD9C8B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:16.910{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5302A08BEDAD7C7A6BB3A860B333CD87,SHA256=42E7E76FB66F0CE9E1FEFD9451132C42D25C96A4EBD3389CEFEB8CC46E503C04,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030008Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:13.788{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030007Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:16.181{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B982A1A9F3365D40291F901E805F614B,SHA256=48D7830C2B482F75999702B26D7275AFEA02FCC94C5D343C70F6299BD98716AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:15.111{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59087-false10.0.1.12-8000- 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:17.941{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E28415C4FEB0E151751806047146541,SHA256=41BDC97DCD0139A6402EFD9BD7F970E0A04654E1FB3FC1B3A846E514654A5213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030011Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:17.540{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE68A842861FFC384A5CC65AB8B8167,SHA256=C1FA35F356A82480BF0AB9E690D6D1D10C4BE8E3B3176B13522B466603F49C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030010Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:15.581{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com56987-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030009Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:17.196{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93F74015A588777EA7C0370538C03C8,SHA256=4648268D0724CE9E51B1DF9CEDCDE153725B5E50585947DE416AFF1BCE4F68C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:18.941{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438A0212A8F2DA5C99AF307ED3DC62CC,SHA256=5039F87A442367E7D4A0D66CC81D0937F0D94E9DFCB2C953E6761E61409591AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030012Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:18.212{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F30EDE8F7F3788E7E7F970F59C09E0,SHA256=74F24B595D79AE3F33CBD6FCF8934C51F619DF8800ABF8BC0DD2E0F07A14583A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030014Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:19.743{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251D0B9D40F5BA7B43E34C1355408C95,SHA256=6020F1A2C956F759D574C0C3733AAC2783442D779A9450C31DDA6A625BB4F57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030013Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:19.274{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD19ED9AD249120BF7F56792ACD52AAF,SHA256=22E80131396A4A50B32198C1416CD23A62C9408EC5779FF03D14B7519C5A2E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:20.175{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910E6B934B2150F7E937FCA03ED1B879,SHA256=9341E4015793D91ABB09877E9692F19FBCFCCE7BED06A8CAFFA91CAD00C3BE74,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030016Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:17.414{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com57132-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030015Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:20.290{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A9F66ADEAA95AD731776891041A92D,SHA256=4EC429D06BE86BCB1BA84D3F589D370092E2B74EDE6591757721E5B64755F50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030018Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:21.540{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEBCFF1F32A66BB164AD656D81D68909,SHA256=2060670A69AF2511F74A776A3CB99B89303F2C91DF9B8C026898B51603CFB4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030017Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:21.337{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6313D71942713CDCC8DB47F5F7AB47,SHA256=9231CC08A62D9E37A648DE1506C4DC99E30A542A2966D15AA66D149BC6F71F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:21.191{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5924174D63F7EA30C46C0C13FAB8EA9B,SHA256=1F64EA5C04AABC3EDBB5AF1DCB2E2DEE66B9CE63F0D69585056A633EF43B4D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030021Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:19.804{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000030020Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:19.646{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com57287-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030019Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:22.352{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CF24F25568F45850800BA68266CE17,SHA256=923829F4379611A849BC7CD58ADE7529CAB170AE206385249F82F3C385064C36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:20.892{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59088-false10.0.1.12-8000- 23542300x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:22.206{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A7AC6198D9BA578FF375D0EE0F8FFA,SHA256=4B70896293036F3525D48DCFF9D31C63A3477C0A846FC3991495621E1E310BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:23.222{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0189FA26C7CD79B34333C56E2AFBAC,SHA256=61AB5B5F4105267AAF6F342BA1333DC504F889AA3E43412DF0FF5BCD3BAE4927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030023Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:23.477{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0715CBE32ACF237794D98E23AFAF9781,SHA256=966FE2E558D0FB8441DDD98BE582B813395600EEB1E6F78955F35AD0BC5F19EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030022Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:23.384{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4DACAFD91D013B8252F88BC5EFF9C0,SHA256=B7FF9433DDB9F9912A5DC6001F25DE82B6CBC106A4A73C8F8EE466C715E49CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:24.269{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6266A492B6676F28A99795089DAFDEC6,SHA256=8A9D0B21F147162162286A79DB09DA9918424CCC9E9858DE2A5B7E55B9E55566,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030025Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:21.577{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com57443-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030024Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:24.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83D9C6898149D51D25A54701224AC08,SHA256=75F2867AFA3D51F14BFF246662811CA99A845235E9C68B94D4721352F86BA0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030028Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:25.462{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D7AA334DBD5596743C0536DC36FEDF,SHA256=2BE6EE06358E2CF18F6F6AC2ECBB26A2328A61C97ECECCF6E5C6629983DE20BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:25.284{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAD438EDA02BF4084F169AB76D52076,SHA256=D1E86D6A2162880A20B868D9F9FE837E005996A987613C66C235DD2FD0925C36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030027Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:23.365{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com57582-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030026Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:25.259{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84CD685E87EEE086D8EDFD3486D8ED34,SHA256=633A39E93B19EEB568CE9FFCB4800C0E4049BB0CCDE0168F5BF045015AC38057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030030Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:26.946{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C721C55499DFFF0F0FE68B9387809C1E,SHA256=2D17FF919E500EBFE77413A7FE6777D8F0C8B91E41535104368ECA192AF715E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030029Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:26.509{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E71E637CF6458BB0E12B0260C056E66,SHA256=CEC8F81E8AAA7F8CAD3DE78EFB24670A40529215505D6A726BE4F10757C55CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:26.331{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0940B585AEAA95DFAEADA69F9F22A928,SHA256=9A291E75F3D817714659096981E751250B03868BE5C8EB4CAAE545A3AE324C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030033Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:27.548{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A50E09A213FEB63FA4096588AEB401,SHA256=0FF635C09F0F22A4FB7432FD8B969C89E67732576245124A563C74E7F4205879,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:25.923{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59089-false10.0.1.12-8000- 23542300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:27.339{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10616A983B36B51E29481DDC47E5857C,SHA256=ADD2D981F7328B132E9162CCD8BF59B04D3725E063C871DACC0B5D7C63B1E7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030032Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:25.711{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000030031Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:25.050{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com57712-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030034Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:28.563{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECECFF4EF39A554D35F20493CF73492,SHA256=19EB29946805925EF529477144509002737B582B8599F3D409F07F7D84D4333A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:28.342{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8F277591BA0A96D8953DC876BD2035,SHA256=E0EFDF0FC625BCC8673C0FAED8FF0B02033E82B2B313A214A71FE744FB3829FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030037Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:27.549{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com57908-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030036Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:29.579{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0072EDD0605B437F0EF1B708B97EC6,SHA256=ECDCC336501FB237B5F7FB36259D28BA38C8B51873167DCD77ED6F9698732D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:29.589{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202F26DCBDCC7D74292A2D08BF6FBBD6,SHA256=7214C7448D12843803EA86497E38EBE2D97B2CB6DB10BB1CFFC4A0995D48E00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030035Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:29.501{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04EEFF0FF9D4274E8F4DFC70578C69FF,SHA256=D4FE33B5AC755F9AAB8D56399B96C383D152BB90A54F7697280CD9EF7473D2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:30.620{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDA2A8B00426FA03915EFA297097E35,SHA256=9031D8F9F29FD6BC7DA4ABE7D30744D60BE73D333177D4E12C80603CBA1381EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030038Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:30.610{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E279573C824DBDB1DFB3ED88A52B3A51,SHA256=4865865FFC50B6B8724C42B1604E885380A9E892F72A97DAAE84C963A82078A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:31.836{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0736C8BEF1A0FDCDAA7F3031ABC7755,SHA256=C4346F561E63027E937B68516CF1EEBE4C8CBB1EC8275B321E3E3BDB998E85F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030068Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7A03-616D-F206-000000000502}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030067Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030066Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030065Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030064Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030063Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030062Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030061Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030060Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030059Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030058Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7A03-616D-F206-000000000502}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030057Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.876{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7A03-616D-F206-000000000502}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030056Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.877{6F8252D3-7A03-616D-F206-000000000502}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030055Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:29.413{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com58040-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030054Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.626{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D4219AE3CBEE0C8C42C96517F2772D,SHA256=1C98DBC530CB96DE3FAF6D36397A2768E7864CBEF6108874FFE878C7BD321095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:31.498{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-125MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030053Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.580{6F8252D3-7A03-616D-F106-000000000502}2756364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030052Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7A03-616D-F106-000000000502}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030051Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030050Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030049Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030048Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030047Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030046Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030045Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030044Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030043Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030042Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7A03-616D-F106-000000000502}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030041Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.376{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7A03-616D-F106-000000000502}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030040Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.377{6F8252D3-7A03-616D-F106-000000000502}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030039Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.298{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B543C38CD9C82CF9CE719F5C0C1CE05B,SHA256=06A0B82149B569883B9B0A3AFA5520FE13D0727231CA5C8A3CE5F7845FF192E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:32.851{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B714AD448A400E5818FEDACAD736BC,SHA256=14CBBDF2546004307BC7ABF409C3A2DB700F1F3ADC421E636E6F62ED2E0E94A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.782{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C34CCF2ACBF95E4ADF6073A599563E,SHA256=B43CF3BEA6ED4151F227C1903DA4445088BB600B320C0F207C8EFC172263FA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:32.509{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-126MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7A04-616D-F306-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7A04-616D-F306-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.485{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7A04-616D-F306-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.486{6F8252D3-7A04-616D-F306-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:32.391{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AFD9E1AB6E88A1B7DB8842A610A8BC7,SHA256=A620A8B5BDC0946C959DCC3905971FD8E0C4E09BB512740FDAB7C2C97F4B22BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.798{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AB5FCF63D3FC855026BFBEA3A77FC1,SHA256=0C2212DD00D2F9B6005CEEFCB596303FBDDDF8E0BC0F31692F766560B6632663,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.655{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000030099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:31.220{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com58180-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:33.854{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257C2EEDE47B1948C8FB513C2E860C8,SHA256=BC56B516857E9D3F9B16EB63008C1CBA9240444EF6E652173B0269C635347B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:33.166{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F7FC112C99572F16DD868FFB3091607,SHA256=CD075F05B534F4D37612B27A8D7DCA7812A0A9417304AF9AAD8DD31FF65AFD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:33.166{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE2A0053D0749FE4C091FF9F9E60E62,SHA256=74A17A7DB042357D2337D3F5E1AF3D455EB70CB5D61771DCDD6C966E6B518584,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:31.056{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59090-false10.0.1.12-8000- 10341000x800000000000000030098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.719{6F8252D3-7A05-616D-F406-000000000502}27323092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7A05-616D-F406-000000000502}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7A05-616D-F406-000000000502}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7A05-616D-F406-000000000502}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.548{6F8252D3-7A05-616D-F406-000000000502}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.501{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFDF79D23ACC688C3288F3503F09EF9E,SHA256=186505A589B2293A6E12269C254DA2895137D6A0CD96F0D81E1ACCABE7E48E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.969{6F8252D3-7A06-616D-F506-000000000502}39363232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000030116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.813{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCB7984EFC59DED18D440F02C8B04B9,SHA256=0BB5AB6AB317EC04A7A1834E15E618A4F3A003C4BB4061DF92456D6915C308D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:34.916{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3B59AC5CD92A43AE85BAA1869F2229,SHA256=703936C80F6229D3AE7212705CFF0A774EE716FB8E7F538703065AEE2CCCD473,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7A06-616D-F506-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7A06-616D-F506-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.752{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7A06-616D-F506-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.753{6F8252D3-7A06-616D-F506-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:34.563{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90CE5C08F80F9A8FF1594A5EC2B0CA95,SHA256=92BDB12CEFA43219A6F41F4F596589D268DCECD8BCA7AEDD360CB96BC3663988,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:32.006{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59091-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:32.006{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local59091-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x800000000000000030147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7A07-616D-F706-000000000502}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7A07-616D-F706-000000000502}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7A07-616D-F706-000000000502}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.923{6F8252D3-7A07-616D-F706-000000000502}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:33.500{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com58369-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.844{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D02E9E81A9EF6B4FF133D1C450EC20F,SHA256=6E6A20758C4E221CF7218C18B7EF973032EFFCDFA3D38DEBB011269585AF4A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:35.963{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D6E9C1E1D14B1822045C74B386E509,SHA256=F069514DD498342617630F99054BAE1341A29F3A2A31169417313F013CAD6CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.782{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59611EF321A1AE0165691D1C67DFEB7D,SHA256=839AACBE1553EB70FBED81D9AEF120A6AD6543F27046EE61C345C4B0399B2EBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.407{6F8252D3-7A07-616D-F606-000000000502}35322040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7A07-616D-F606-000000000502}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0C00-000000000502}7283728C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7A07-616D-F606-000000000502}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.251{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7A07-616D-F606-000000000502}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.252{6F8252D3-7A07-616D-F606-000000000502}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:36.979{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D56055E69E8A67E654DDE7269D0AA,SHA256=9FC3998057A8EC715D766AD6F337A490034C36D679363087E2C898637A2017DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:36.954{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00461AD46D94B79D2848D06C0BD95889,SHA256=4E6DE057FCE6FEAF7F39BBF3652038091E933FB93B705D911679FD5339AC6F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:36.860{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A3BF3673E23F13814C59C92226329C,SHA256=6156BB0077B79DCD2F945213AD27A25DB167B4D88FC846B6378BAE48C263B704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:37.891{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55624C4B9AC20C8E2C3CCAC5A792187,SHA256=ED03C5467B4C30F4626BBE5BEB0C46D4058E48A5CB24F29D2259DE4BD1A7701B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:38.923{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB244EB41C1754065B15EF9B89A9124,SHA256=865A3F984A7AC105A908F0C53BDF58D6FE5640254BFB2A8941D528EF8BB037B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:38.025{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA2A3D60AE196B534B2631E876F2B45,SHA256=0456369D937450CBC259E9663C02C40FEC167BB26AA8478497EF468DCC3EEBCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:35.692{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com58547-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:39.954{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0640C2D37E87128842B24D0F2D197D76,SHA256=DC3BBBCF5CCF9E8A1FE6CCB5652524C91573FFFB9CB522A1AF27E3A0856C24F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:36.961{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59092-false10.0.1.12-8000- 23542300x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:39.026{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B77FF6FFF049ADDA4C62C92BF3932E0,SHA256=DC8786779E5FD35CBC95797D22A80DDBA1C3AFDE62C86C1384AB89706C25FA66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:37.639{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000030154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:37.611{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com58682-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:39.501{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF14C297E5DD0602090E5176ACECC851,SHA256=FDA576126DA553D57205CA9BA59BEB8445C76E52244BC6316ED03E99614B224A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:40.088{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC22AF8D0B80A7F9138738ABBB704B3,SHA256=485B811302FD1AF8EA6338F02485FF65D3411A4BFC7C7102EBDEE3C987BB7318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:41.103{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46866BFA35883F89E5F59F64F6A2C27,SHA256=2D8F6CB9D1C11A71FADC073AA7AF318D91EC8896C4734C12FF3FEE0BBC3C2D82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:39.783{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com58839-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:41.688{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=415A8CB97DAC7716226997B631A6D4B8,SHA256=AF393FECFF8CCE8F88958FE5E5168C199471E7108CDCECA5C11E0DC15A3E0787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:41.032{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7F15B1247A4BEE3A0E1E39AD819F3D,SHA256=6AD6BAC0902D391EB7A74A73449B967A7840F3C9A4AEF8C2BA166CFFFE9A63BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:42.104{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A08654E369649858E0321B2D48A47C5,SHA256=4B3FDEEE77EF29AB76F9DF27584742D608C0705B1146AA3D223A3D4F240866C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:42.126{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059503785CDE946EB52C646D237484E8,SHA256=87C3CF49FFC88C03DCA34BF60EF670D4ECA957B855E0DE98CFDF5308A10D9F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:43.135{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE7DDB8DCD3F6D1290F6EF083114D7C,SHA256=5763E8FDE3B16B9DF0A526DDD36B6F961C5C1D0E0C3368B0F13540477EA473BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:41.803{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59006-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:43.719{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25B1B548A1C59F3ED5B89F279F010E57,SHA256=DDF674E0075A134EAA564693F0FDA4290D1C663F5B54607F12737A24E3BA00DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:43.173{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E569D1117900ADCA527FA8BED51B2,SHA256=4118F1C82184E576D1064604A33387A1D1E5A5F7ADADD1A5A37F100ECB4C9AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:44.219{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D357D7640CFC13F6BBA52A9910B45AD9,SHA256=E06FDA272B0BC4ACFF7237463630A40810FEA862102C8A88A6EF46190FE3DB63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:42.101{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59093-false10.0.1.12-8000- 23542300x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:44.182{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB489E28F05CF7D0EB4A44D0CFF52F,SHA256=AF712E6B884227399892C18965038EAC0445554FE6D7DDA6110A877F171917D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:45.266{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C1F0F41A7919BE0A3B802BC860CF22,SHA256=8F34EC5DA1939021BEA95CBBE77DC1288307D5E6AAF4218B17310B8FCF4AF9D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:45.197{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEA2F5A6D48A3D39242760D4AD648FE,SHA256=9104A14CA2DFBA29BF780F54B07567320B48C53FE2DAC0AC0442EBA670C92EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:46.313{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E69BAFDEF4DE0A9371B89D50CB1673C,SHA256=CE59BE9C44B9DA7E269B51BAE1A47762B427926015BFAF4ED04D7B238701B1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:46.432{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5B94CC65D135730179A58579A67593,SHA256=1ECC4D7FD569F27FAB674B34B0C446D9B90CC3641755F0EF797741F25C732F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:46.266{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2FAF4129DE99C5372F23367322AF44,SHA256=D07662956DCD6C1F2A56BD740944594EA1626C37C1A03EE450FAF08587F3F552,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:44.348{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59211-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x800000000000000030166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:43.670{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:47.445{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEEA45DB21AE10CDE38A382D53D39F4,SHA256=736CEDEF2CD97B519CF7E09287BE07BB2EA8FE161985FD977B6B045CAE22388C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:47.341{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FDC3A8E7A029DF758C18D5829EBF02,SHA256=68FD6C613DBC9557A05AB79BBCA8EE91EA3D8A6657E16474B2B1FF643FFF6890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:48.664{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861E67EBAFF3250B81BAE1F7AEA8311F,SHA256=4E80691369793419035EBA1BE899C29F1DBEE4A4EB6C49131B42B94A1F5CAC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:48.373{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6350B9E4DFC08E0CA74F64716172C3EF,SHA256=38FB1E5F0304789992F3AE6DFA29462A1E4C4B5ABAAE3B8644540A976C58D897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:48.373{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE2EF93AB43EEA86EF7265A7AF63A99,SHA256=1FDF63169DF3A85E401BAA48CAC276A5B69F06D0985DCC33E18CEAE56FB612C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:48.036{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59094-false10.0.1.12-8000- 23542300x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:49.711{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0695AE71718A3D1D7C4BF6619E05BEC,SHA256=00EB8D8CA9A97BB537198C35F7D5402BE2FD790250DADDAEF8B2D5DD66EEF2D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:49.388{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC29A43CD7AC51566FE8C728544F63D7,SHA256=2F724D39EAA0E372A1433E710929ADFE409B08ECEABFF6A7CCC0C20667322099,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:46.440{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59378-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:50.726{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B46ECFA608B90B0193A9663D2C5388A,SHA256=02B2FA10A85B4D21CE386C1A4A3AF2E6E0CF96FE2D5A5BFEF21F1397FCCCF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:50.404{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0A98175C127C332275B0ECCDA409F7,SHA256=FEF11816FD6B2BEDF42086652B8096807DF9ECA83B0B4898BEFB93A43A3B4115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:50.310{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A03D4159375AF2D3CA6546D56AAE1474,SHA256=4ACD29142B96816F3C37444A5EDC70E5A0911055785FB8C4678B8E28B36FAF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:51.758{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A66233B401AB2CDC0A6BC27B9AF5345,SHA256=6FD69A75CAFE3746E1C39CB475F797E08CF2509C1DBC921A95A4DCF649858C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:51.873{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9CD3D76F1F8BA7B63F1DB7F5C53ED61,SHA256=E53ED38137A4A0721D895C33109D77862489F460A5B9D2753084D6FF00829556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:51.419{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482EE4A44429A6D45370F47FF7E19662,SHA256=264929330E3756777896F79B7790F473EF05D9BEC839D810BD25BF6366C35F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:48.407{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59534-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:52.789{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40471A0878BC1BF813192D3BA0242BA,SHA256=B8B0B3B18F5F8564C2307BFDB6E4C6A8A0F210C8D8A012B6D448BC7E5E66177C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:52.466{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=617D6B02312F96A819F51689EF30461F,SHA256=AD802013F670BDE85711E4170313633ABDC80E7C7F29B12E64CBDF405DA75A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:52.435{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F6952E02211B37C9E7EAEEA8FA3971,SHA256=E34814480F8710B5470EECAAEDD7743DC3D1D9311A4BF0D90FAF2F5AFE7E044A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:49.667{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:53.804{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A601B9D3CDFEFF9194B4D029FA8912D2,SHA256=DC8414CAD1BB9020EDB9FD04F024150F12700B84702FB083507F95720AC85C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:53.480{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22A52973B64CA93AE3B0BF8F9B27F1D,SHA256=B2FA556833C8778AC0348F9E57F100B3C2FFB828485983E579621386DCCAB1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:53.235{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-117MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:50.508{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59693-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:54.836{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C128E5B34D18552179F14E1599B947,SHA256=8096AAD4B7D55097975C960928CFECDC32272848EB34B01670F0D9FAF15504B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:54.713{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=918C5A87893B415F38364090EC73B500,SHA256=924555FB2C9CE3B6E0A8778CE27F2D395D2192C2183309681112F98BC290A4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:54.494{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1E871D32F7C26E4DED5CAFE746BF52,SHA256=6B545B799E3F478C19C7A6C9E7A37383518D3569AE38896A223C548BDA2E7395,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:54.336{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000030186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:54.246{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:55.851{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F521D9C927EC92D6438FF374579446A0,SHA256=FBD0C76035B75FB688468E857EA876A9E2F09B9E51CB7D68D698F1F38C5AB2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:55.575{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE7297D8B649AD724140806A7899022,SHA256=AF9A1E3C50AA002FF1B43AA9D745643018EAAC3428820E8C362835047D257790,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:54.036{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59095-false10.0.1.12-8000- 23542300x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:55.367{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DACDADEBC1A35AC9354E3ED8104AF0F,SHA256=0100734E786D6D0F8AC7289B020E44C1087C4DD501F015CEE569601B3438DFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:55.367{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DACDADEBC1A35AC9354E3ED8104AF0F,SHA256=0100734E786D6D0F8AC7289B020E44C1087C4DD501F015CEE569601B3438DFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:55.367{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5DAB1299AF795E4F2045978EE706FEC8,SHA256=8C0631D1D9EC1BD05744B72B8F4B2C654F84F7A72B08FF42E96836021F328BCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:52.832{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com59871-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:56.867{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1A6C328836A1395CE0CE3AEEBCED5D,SHA256=2288CE635FEE0ABE6ED26C317F549DF19790B3240FB25E4AEAAD18E09B13E665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:56.622{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C360C8648952070C2C0D35AD96720586,SHA256=A5E3FE3B862BD3286516A257DE963D213D1DC819CAC941CD3F58AAE32C981D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:57.637{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F11DBD7CFB7108D4DB2E515F3E5ECEC,SHA256=3E324A7565B9A6F72D5004AD19945B3D535FC83544409FE287F15A9EC8831A1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:55.650{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000030193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:55.204{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse198.46.199.161198-46-199-161-host.colocrossing.com60064-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000030192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:57.122{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1330186E94A3615E0AD9178429DE3CF,SHA256=5C867A45D90E9E61A4816AD49202BE80C6C9D767D5CC5AD3C5ED0A3C20BEBB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:58.653{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABAE850BA9FAE5D10D9FCF364817D00,SHA256=320ED2B76F026865A582A627DFB30C8F1B133A8D2C8A47B55F3CD77D9BD52498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:58.023{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DB271D4CD3484D1003092E564E6A69,SHA256=9E972FB17A3885E5580C0D6D3D5B3C091E59A23347FFC0BFF91A10193DC5B538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:43:59.668{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C562CEAF328A5336932C71ECD88E33A,SHA256=D1A5A6A031A3724BE3E86E2209BA0F64AA44848EDA6A4B7F5050365C6AB0E07E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.804{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.804{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.804{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.804{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.804{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.804{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3809-000000000402}3004C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.679{8D4DD44E-5BA6-616D-0B00-000000000402}6281872C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.039{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36036CA910F67366A7811C1EE045E35A,SHA256=1414899950D106662A03D2A3852A9C497F6899696427AD06E1858781A0E15A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:00.684{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A119C71D0F164205D0C9CF03E970D3DC,SHA256=5B17510B001D74234B907739FD8A7A9BA8CB350D51209D7D41ACCEE47DF2DA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:00.695{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30F7C89F30E77CE300B69790F775642F,SHA256=F2899044E6AF89E912D15305C2540E763DD5EEAB437156EC658321FC65380C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:00.695{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F7FC112C99572F16DD868FFB3091607,SHA256=CD075F05B534F4D37612B27A8D7DCA7812A0A9417304AF9AAD8DD31FF65AFD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:00.101{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA4BDA6699272E5164FB68F386F47BE,SHA256=96331D00A9B638D500BA784A04C3F49161DB5130B4A24B78549951A7129BE24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:01.731{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3195C6348C5B73ED680239E5BD222A7,SHA256=E1A4D6EE0B87F0B9641238466877EC89FB03A306A874E66BA5D6A12A04D3D220,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:01.898{8D4DD44E-5BA9-616D-1600-000000000402}12926404C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:01.898{8D4DD44E-5BA9-616D-1600-000000000402}12926404C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:01.132{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBD8AE5ED23BD8A5D96A9136C2E9C02,SHA256=BD1ED6A228407805B44BDA0D1A4B633F80130AA456D7BB31316E3374B1D3B96E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.553{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59096-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:43:59.553{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local59096-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x800000000000000030204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:02.762{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EBF315DB08F8A6E741B4C3E999EBDA,SHA256=02FCDBAC139F0B2BB641C24396432C10A4B78FBFBAE2A8F585CED2FE5C5A5A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:02.711{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5042ED3A3D4829DABDA4D3547AFB5F35,SHA256=AEB54095738463BFD915D9D25D8CAA2EADCE43D7F7E76731E1A8843B840D7DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:02.148{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968B959AD53782B558F99D444E998B4D,SHA256=D160493C931E5EEB0A933E0F2F676B5C21ABA027F773CD44243C0B9242E09CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:02.215{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=87D7D5BC1950FBC05947A714A60E631E,SHA256=9E29F267BF3C7C6DA25081530AB791C1E5D24B48AE08D30FAFF891FF16DF70AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:02.215{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=33EDF687701AC8318B22804BCC3F7B84,SHA256=578CD3FF48B96C96657FB3ED3110ABD7309535316F0EC80CF126C81795D5C7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:02.168{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B350C0900B5F775D32446312DF564C75,SHA256=B9C6B3C4DB2A7AF834A0816D65078B58901A7FB3E4EC1E3EC68CD1C8C1B8BAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:02.168{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=872C1E6D0888DA923618C9FAE803D49E,SHA256=E3B1FFD9242A5B4F93709ACA81115CCF2FE9099899BBF592D41CD37E7BF64005,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:00.005{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59097-false10.0.1.12-8000- 23542300x800000000000000030206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:03.762{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC5E88252044462337B76E1A0067ACB,SHA256=9C16C7D0CF6320AFAB3899B225211E1C9C8B49A1435B9F4FF4059009F63448EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:03.179{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAE66A21C089FDD964000B015A150F4,SHA256=E60C21B096E6367864F8F287D02A4A701531A6C7EE018F2D76EB400E827EAB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:01.619{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:04.778{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5D8667BEDF79DF2581C7BEB18E8AB7,SHA256=FAA41B8D221F6F3E1B02075E5FC6540B0FE368C167019F6216AFEB092230A203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:04.211{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91D28D8A2FBCBFA0914225DD37E2E47,SHA256=F114AEA337515063E1999717A2DC17409D0BB6A9CA4FDAFE39452EAA2F99FAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:05.793{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17DA4FFCB989086D757FBA276244732,SHA256=4352945A3EA3659425DB20C457DEDD1704946BD8835163C0AF56CE48A6C55A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:05.273{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAF33B0A3DFEC62E70D1BDD895B4B49,SHA256=9DD7482A2876E66843ADB2DD25FDFDD71829A25ED49351734C624EA5BDAE593B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:06.825{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2615C73960DB9B55E85380B349BD9538,SHA256=7BA97D31EDA4E63AA4D0A16DDDBAA71C3FC236C60BF143ED8B7410B2B17A4ECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.492{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7A26-616D-6509-000000000402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.492{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.492{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.492{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.492{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7A26-616D-6509-000000000402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.492{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.492{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7A26-616D-6509-000000000402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.336{8D4DD44E-7A26-616D-6509-000000000402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:06.289{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800A5ED8B423FFD9F731803B439872ED,SHA256=B6C4FE1085F4E8D0E0CEEB96BE0A774A28341F71EDD97207E7BEE88FE9682702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:07.830{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236B363703B560E53409441ED1BE5E9A,SHA256=F038FC4FD48853430A5F2CE7B94978CDC205A159BF8AF02A7CEBA3B7274E0159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.980{8D4DD44E-7A27-616D-6709-000000000402}4688720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.824{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7A27-616D-6709-000000000402}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-7A27-616D-6709-000000000402}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7A27-616D-6709-000000000402}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.809{8D4DD44E-7A27-616D-6709-000000000402}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.434{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108660C5AC4030BD810456216233379B,SHA256=0F5503A98A8998562DB4932CAF49B5A6342923D94FF9BA66E9C377409278DD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.434{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30F7C89F30E77CE300B69790F775642F,SHA256=F2899044E6AF89E912D15305C2540E763DD5EEAB437156EC658321FC65380C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.293{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E82E74F0EE10A6C8B3A1F11B6E3930,SHA256=45863591D2E5E6E2F81A4097754706E75E334F940BB92BCC06B5E4307E35790A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.168{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7A27-616D-6609-000000000402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.168{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.168{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.168{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.168{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.168{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7A27-616D-6609-000000000402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.168{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7A27-616D-6609-000000000402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.169{8D4DD44E-7A27-616D-6609-000000000402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:08.830{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BDA15E88A09AFE05BF2B750B9EA7BE,SHA256=09272626C91FF6E4EFB4F15AFBA09D529B42007794377A006B9E24F11E0317FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.902{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108660C5AC4030BD810456216233379B,SHA256=0F5503A98A8998562DB4932CAF49B5A6342923D94FF9BA66E9C377409278DD3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.700{8D4DD44E-7A28-616D-6809-000000000402}2396504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.480{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7A28-616D-6809-000000000402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.480{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.480{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.480{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.480{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.480{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7A28-616D-6809-000000000402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.480{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7A28-616D-6809-000000000402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.481{8D4DD44E-7A28-616D-6809-000000000402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:08.309{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F595B94997AF17B075D465872E7CEAEF,SHA256=9D6CD3293BC88F3A09133149DA14F6550576E735E9DC519FF66A14F99417C050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:08.471{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:05.927{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59098-false10.0.1.12-8000- 354300x800000000000000030214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:07.593{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:09.846{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F22E9E450B10CE0445B7D3334E54BF,SHA256=D9AFEA3371B67929FDD43720FF81FA695C78706ED7E229041586C0260856F5B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.699{8D4DD44E-7A29-616D-6909-000000000402}60925816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7A29-616D-6909-000000000402}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7A29-616D-6909-000000000402}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7A29-616D-6909-000000000402}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.512{8D4DD44E-7A29-616D-6909-000000000402}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:09.324{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9531BAB7BCB7FBDF99229EE235EB14A,SHA256=DFAD4F9DCDC16B9E3E55C1F9C90332EC231B86273714EA30E8D9D8DF160BA8F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:07.681{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59099-false10.0.1.12-8089- 23542300x800000000000000030215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:10.877{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C19F0E61B8A7CB2538D859B2188B6A,SHA256=D0C8FD2F5DAB7B4B5AC0276E3C0E1C67B7E113C6DAFA2D7F36CA63369CE25CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.512{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51989FBF47B4A489FB564D2CBDCC09F5,SHA256=13D6F9A8402F53AAC4345EC7A986CA9A8D6C7976E570DA8DFEEA88BF8070EF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.371{8D4DD44E-7A2A-616D-6A09-000000000402}6508224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.324{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308BD3A148922383F8E7E48BC7EA6761,SHA256=4BDBEBEDC77D8305B79F0E31C6496343B34EF44D86C994C5AF849C0B28A99A5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7A2A-616D-6A09-000000000402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7A2A-616D-6A09-000000000402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7A2A-616D-6A09-000000000402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.184{8D4DD44E-7A2A-616D-6A09-000000000402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:11.924{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E01F703CFEF7483397A072B7036655A,SHA256=98895C99CA5DE31CF58332E95DC0486CB26B787701C4058DEC30E39897795C81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.840{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7A2B-616D-6B09-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.840{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.840{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.840{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.840{8D4DD44E-5BA8-616D-0C00-000000000402}8481920C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.840{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-7A2B-616D-6B09-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.840{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7A2B-616D-6B09-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.841{8D4DD44E-7A2B-616D-6B09-000000000402}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:11.340{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759650399E41F96A62FCCBCD1B5203FA,SHA256=004BB17C72E24B24BFB2CC68BB59FF01BE5C1C147B5D5905DF12E3F5F11596B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:08.015{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:12.939{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEC7C34DB85AA4533FC8EF31E68CCB1,SHA256=3401FB17DD115A648A3CBE19C011ED3E47954E9F883D7DBD8744D615325911E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:12.887{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C139F55E727D8D68609C0C4BDF9A42F5,SHA256=090F05DCCE7DA8747DE7DB6A62CC10532FFFEA7675D74FF7C0189C8FA36BBEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:12.387{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64101AC02AD9AAFCFABBB4B88EC38EA,SHA256=9D84049B40BFB5C8F52E04F4B3DEC6751E036BD9E4870C0E3473318ABBA3AB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:13.955{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AB2977A4C0314644079119201FC8B8,SHA256=AD8C0E33A42B339074F845D481ABABE05380B4D3B0F33ED0E4078B69A2C8EAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:13.449{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69088E9C083B6A5834B6370ED5DD9D15,SHA256=A75B9D9273950065F09B080A4266BB5B4F754B12B1349FE21A5D83B56D3032DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:10.994{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59100-false10.0.1.12-8000- 23542300x800000000000000030220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:14.971{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0403E7DC68053B395D3090AEDE1E4786,SHA256=66E66017A4B74B079C7353D27755DD56492E2A6EC729E2F827F5AD83D6374570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:14.668{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6EBABD3F43899398833F66EE24D533,SHA256=0C32247008EA1666DD2EF23E2D892F8BD9BBD063CCABC1FAB33B20E3D713A44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:15.986{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C36523BFC179D258569C928CB63D144,SHA256=F619D9B3748D2E90E9CE50E53965DCA1C6E2D944D04B0E86CDE5B28D0944AAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:15.684{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70EFA4636DD4BA5114DB6DC867753BE,SHA256=ABCB51288BC6B359A961536D0817474AFF29A73E444B4A2FCAF05FCD548934EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:12.717{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:16.918{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80512606A03AABDABF0DC1FBBDCDB1A2,SHA256=7E720C09DADAF16F92AB6A203DAAB3A0BF7F6F283F8E40FD226B3DE8DE22422A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:17.933{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF880D0140A8378036F6EC19CE3B87,SHA256=C2A450DBE81471B05ECDC278C13AE6B3209B4F5F825DDAEF0E3E17E21038E0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:17.002{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1FB00D33293EB10033104224E22D48,SHA256=694FCA6B6CAC9A503876568813BDF473FEEE53A124A957EB3D9E4C042783836F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:18.949{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703CC48F0916E895B5CBC3DFD4D12402,SHA256=3C67C4D2680E09B48524763CF395139AC4409C1EE50793A04A11C8C4440BDEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:18.017{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23220D6599827B8B8E8B11C5B003E3C7,SHA256=383FE9F98810CA4A8FCEC76A0FB26B3268E0B91CDEC24F644D4A36750693889C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:16.119{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local59101-false10.0.1.12-8000- 23542300x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:19.967{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B86701B7E7BD0311EF48F815EBA791,SHA256=97B682ECBC08182D34F756AC57056080908BEBCD45B0570F4D83C12A95BEE35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:19.033{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8A2DD91D1A9F388DB3B82FAA88D1CB,SHA256=E38659D01F4EF0ACF3891875F83BEFF9819042ADFCD1360DA184444C1E8A4CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:20.049{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E65C57D294147A8CC4D01D2F7F77EB,SHA256=BCDC664A5539811F34C94F89502EDF668E175C80515DA6169B516C597EAFA42F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:18.670{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:44:21.064{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CE364384FE2F269D2928A55F9176AF,SHA256=650CD698EA9C0ED35756285C42A28ADB2A70FB48C251F41519BE4636D504BDFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:44:21.014{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F240B069095B34C46D9C3C0AFB10A70,SHA256=87A034E8CC30D4467460BADFBF4B68D1D5E509DED57C210D38A78E33CDC11175,IMPHASH=00000000000000000000000000000000falsetrue