23542300x8000000000000000101107Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:06.985{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A2C217BA5AD81903A74306116A82BD,SHA256=6478797CF0D8AA3A6BD41C271E5582724EC99E9EBFEFDBABB03C3BB231DC28A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090445Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:07.365{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A8685AF43155BAAA908E799A4199EF,SHA256=A4A3B1C28E2082E8BB9658DD59C32BA9B5E22D00A80FF944F324686AE00C71A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101114Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:05.848{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57461-false10.0.1.12-8000- 23542300x8000000000000000101113Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=8793BBFFBB5BEE0F872E47988676B0E9,SHA256=7A6B15E091B346CF023711E5665D1D99584BDCEBE81BB90A8A65E43FB6E5861A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101112Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=9A8B302C5D0B57DC8BE1F024D4A09DB1,SHA256=9635770ADAEADD4CE32EB02C3DD04AAB7C767CEF9C216E484521229AE3FBAA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101111Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=18F1966252678C3ECF34F7A5C5CE595F,SHA256=25F63EB61527B908E6986745E70C78EAB361B639271417C0C6B20403658E43B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101110Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=D1907976FCDD2FDDE340807B0A0CB0F2,SHA256=79BB75CD876DAF8BF478F12152ACB046CA2AB45D4379EEDF5CA70CE9B3F53A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101109Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=7369B145728D27D93A686BF7AEB2BCD2,SHA256=96CAEBEF079DF9B2156F5182870A023A09D72FEDE218EBE5DDFFE05FE618F0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101108Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=2BA3F9FE1BEA782E71E9EDF3A2DC0AF6,SHA256=3E35098F1158CEE61394D55010FCC91BD84671CD751766F482186FB63B65E0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090447Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:08.396{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C473EE9BA99BA172444A25B445B265,SHA256=594E6E8594EE7EBEB5DCABCC12C49474394AE0AB6AAA814A5D701315B24B8DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101115Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:08.028{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3824A981D42158C24AB9F9CC4C8AC98,SHA256=10BCDFAB170DDAF6327DF55C8BF8E4566ACE00798ED5135A4001F12284E8A213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090446Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:08.208{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F8A371A8B817A02206A574BD77342F,SHA256=1A3E8AB0108709FD8A678CB1B6E0B3C20044807295DCBB390AC61DA6065B39A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090449Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:09.677{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8BC23276FC24AEA01B0D474022E9DE4,SHA256=00DB112798CFD5BD13AA6DE56F4B1B93146495E655103CF91E829A841CE38AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090448Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:09.412{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D831BB21F385E66C970AB00D34E6C7,SHA256=B7E2F7C1999A9D9955D3EAC6EE1681BE99171F0414DE769E4CE0BB3FC7884AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101116Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:09.029{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2AC7AF3C6F3E6AC7A02E432001CF29,SHA256=ECF65FFB7452F17CDE5206D19CA7A2A0DBA9C8E68D49161F92EEEEE9386042AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090451Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:10.740{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2736E7FA6AE3F30BBA72CE0E983005CC,SHA256=ABF80D0458675754797D20410A425A06F57DEF1F3461E6B1E0680EAC2BB9704E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090450Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:10.443{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA442D8003458C0CF13CED8B797C9BB,SHA256=6C63A3BF61B02DD21FE7063F4085B8049F8DBB16CD1BDF10684AFD823037CC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101117Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:10.047{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892138A88CED48C1E7E5E45B18558D6C,SHA256=99AF7D22D41D7D88CFC78AF3A8F200F581E9CF1781372E67B883E7F591ADD263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090453Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:11.849{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768523FA57F1562C5C770441885015DD,SHA256=8E65E6BA552E8D207D7521D974EC4AEA48CCBDCB7EB5FEC9042548D1CA26B74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090452Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:11.459{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169818A023796DA33A8D04931322082C,SHA256=E9894A4899779075A05CAF023D4317712058043A60B4FF3B1FC8FD273EC56A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101118Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:11.066{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2566C5C2BD661EEE72FD3DFE95DE84D,SHA256=8DFBEEC485E15BAEB43070FFBE3D956F7DEA952CF71D7E2D5BF9ADE0A73B45A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090454Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:12.490{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394E1C3F1CC780C816536BEEAAD687BA,SHA256=5E52C7354AE16672A27338550F7D1C530C42CA9D2453AE4BDD6F4EF5DACFD648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101119Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:12.082{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6DD2015226BB77479BCB610D4CF0E2,SHA256=8E4436C25B92A97096F0EE1654F8E48CBF1366EDBEA53E426B295C99C62AF860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090457Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:13.521{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E3A2C0AFFCA2C4659E5BC03939EB3B,SHA256=D9F27C83468B12C7D9E68225F6F6F83941B442814749C1A94FC621FF1FAC29D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101121Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:11.615{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57462-false10.0.1.12-8000- 23542300x8000000000000000101120Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:13.096{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDFAFC0EDF2410F3152413DBA05F747,SHA256=8366CE8245A88AF5B4E1213D4CBC6906230B4D8D68E9473449E53EABBAFBE83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090456Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:10.857{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50714-false10.0.1.12-8000- 23542300x800000000000000090455Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:13.037{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EB8DEC02843336C43097334104640D4,SHA256=3141DFBF0AC4B90DD63A92D0FA96D0F91B8D818E721DFC332C1EE2FEFFB06415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090459Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:14.537{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EA24D6DF971B8C85406E8D360E2613,SHA256=979FD7394EC94BD6F7B119DAD4DCC653E42F8C4F9E7ED8A58DC32C5D3645F539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101122Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:14.114{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E80D43264AAB1914EB9C355C443C73,SHA256=F3DDEC292D32BC55544AE35DC2C676DC933A4DEF2AA5B97C76D6A8808E6B0B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090458Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:14.240{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57FA64D77B5F4811A81221C5485F650C,SHA256=B8A2ABF28121F271251784784D036AAF4EC0959859AB512ECA1EEFE5ED69AAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090461Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:15.599{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF2AA67AA597A05F86B6640B0968901,SHA256=C2E35426A1A29468B31DCE6F2284B127B63F73A1D0FA612318E78CAD15B2B7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090460Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:15.553{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAAFEC19993682D2A3C323833FF8701,SHA256=A232EF70B8A20FF2ADCF785E99B9AC3FB432428F3DC6FC1F0629F201D07C0042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101123Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:15.128{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D9BE39481D5DEAA6D057344058D88E,SHA256=0AB365CD86C9E5D7ED29358237D87FB2505E464A44BCA1E30A1148E0428ADA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090463Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:16.896{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08219BE6D6C58DD44FB8691B849609C9,SHA256=EC65A5305A2ADB6DD5C519845AAB47FF3FB76A8E37423218546893F25C32EBDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090462Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:16.568{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79104D948CB5B463510E07B080CB2544,SHA256=5C258B3A90CC4837FC6212DBD0E78853D524E84B7B7EE5A65A56F32909907498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101124Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:16.129{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F2D4C291694D725844C4B68B5DD2D0,SHA256=8123A30BF76CBA2E16952FC8FA7975570C3B65BC19C80E02B42D1EE0446A10E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101125Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:17.145{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7DBCF316D5C5D6504F3CA21DD2D34E,SHA256=5BAC55D11BE854598E6C741A39D2349510EDD2799A69BF5DCA0EA9FBD97CAC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090464Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:17.599{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C7491A9A587DE063B065614C5281C2,SHA256=0855CB51AAD90991ADAB17218C8C05667936F4706D86C6E8B27363093BCE73DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090467Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:18.600{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13747695BFA493C01692A36967585616,SHA256=CF502F7E6E099A381F77515BB33031CF810B13AAF88052024EFD5CDDE1C3A9EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101127Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:16.668{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57463-false10.0.1.12-8000- 23542300x8000000000000000101126Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:18.167{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C060FA017173B27A178A2F40FE7A9CC3,SHA256=6512FC2CCB083007B50A69F370C8BF4B087BCD2B69CEB5E48CC1D225F50A26ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090466Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:16.841{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50715-false10.0.1.12-8000- 23542300x800000000000000090465Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:18.053{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E51DB625B17A3DFCB7731CC0035052,SHA256=510C8CF95162B977A33AB97147CCFFFA69E7768C89D0465C307C4CE31162759F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090469Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:19.631{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CFF5FB8C17D4D5983316678D08B6F5,SHA256=30928F4E09CB94AB7A3B8D63C4061EAEEF6E38981C204AE25B3C14A5E0343935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101131Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.882{3A00444C-84F0-6086-5002-00000000BC01}47324820C:\Windows\Explorer.EXE{3A00444C-8594-6086-7502-00000000BC01}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80024E648C8)|UNKNOWN(FFFFC4AB016B4A38)|UNKNOWN(FFFFC4AB016B4BB7)|UNKNOWN(FFFFC4AB016AF241)|UNKNOWN(FFFFC4AB016B0C0A)|UNKNOWN(FFFFC4AB016AEEC6)|UNKNOWN(FFFFF80024B7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000101130Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.882{3A00444C-84F0-6086-5002-00000000BC01}47324820C:\Windows\Explorer.EXE{3A00444C-8594-6086-7502-00000000BC01}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80024E648C8)|UNKNOWN(FFFFC4AB016B4A38)|UNKNOWN(FFFFC4AB016B4BB7)|UNKNOWN(FFFFC4AB016AF241)|UNKNOWN(FFFFC4AB016B0C0A)|UNKNOWN(FFFFC4AB016AEEC6)|UNKNOWN(FFFFF80024B7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101129Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.882{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF493ad3.TMPMD5=C99EE02EBFB64BDE6B873A56BB796C66,SHA256=C71E259F4C9B0D61592A2D077072B03E7F90454AA9B9A4CD017E3051F09C73F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101128Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC467CC2CD8857B4AECCB8544FACD1C,SHA256=95E1B1FE9EDA9AAA2498879B0EFC568F0CD9BAC2CD1F7AF21F25F6ED16C14059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090468Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:19.396{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF6BF36A70671A58400DF23F9B33DD4,SHA256=11CD5F062F099F4E049F09215C6CB7957F6D7B28FC8C03970843D75E50FDA4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090471Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:20.818{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CD1C66B9631E22904F69577D88F45E,SHA256=244C6C9189D921BA851D5C0CCD6380991346E13F062326915197B9B973037E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090470Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:20.662{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930F4F0B6A27551FB5635998C95002E1,SHA256=E92475C1FA39A5E5F628BFCE4E5FEF8C5E3381D9A7AD206B20BFC5BC8763E994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101132Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:20.228{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D95B9D2812BD7FE2386F85443C7F0A,SHA256=6DFBD5F2114839D8DCEC668086BF6D87EBADC79B828F3E4C90CE743D47A56D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090473Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:21.928{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=780EF3A2F2CBF4177C710AEE8ABCE5E8,SHA256=823CEE9C946725D3F280894364B1E9FA01F33CC8F96B4DC5ED074A597C3D9ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090472Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:21.678{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1A762476850580231B32A42BA2F795,SHA256=85A24A844F453697BE1992B932B117E803C7CF9F3A93A61B28F14A0A44920671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101133Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:21.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762E4BAFC857788B40962AD22D4E209A,SHA256=762DCDF223ACF7A7F9E335EF1E79F9FF5548169699191AD430C95C4677E4F280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090474Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:22.694{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89D1505D1F2BE9E6FA50613CFEE61E0,SHA256=67ECBAF48DD3DD70C0CE357F74697A9378F3B2CDDB7B865845187B4B6D0C0ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101134Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:22.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872714F9D1AB9265DB1EF5A463130826,SHA256=532A91297E9ECD56B1A77BA7A0FDC794E3A1EFC2FA52E9B8756C995E58B97037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101135Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:23.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE13589536DC09C8CADF4645C2CA0D1C,SHA256=8FD41353C558FE5A0928EFE56BFD7D8AC76D6F4FDBDCB46C1E04709DC8EA3E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090477Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:23.709{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597A19FB9715B4EE25042350CD08E941,SHA256=44B1DE3A92512005793BB98A43606AE756691CE0AA1E5FC03C87B0F0DD7C07BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090476Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:22.076{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50716-false10.0.1.12-8000- 23542300x800000000000000090475Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:23.068{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAC5B607ECF79B424DA3FC4AD6C8A6D6,SHA256=BD5DA40B51123ACB2D490483A771A1335B60C4C0B559E038B9F77BAE7F9C5C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090479Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:24.725{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1AD68B926E1AA249B910EDF0860F93,SHA256=0CAAE5CEF62645C9C4E994E8A1BD79AC24F95B5886072038E6BC590DE40E8DE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101138Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:21.700{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57464-false10.0.1.12-8000- 10341000x8000000000000000101137Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.397{3A00444C-7713-6086-0B00-00000000BC01}6241196C:\Windows\system32\lsass.exe{3A00444C-7711-6086-0100-00000000BC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000101136Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.247{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DBC3FC8F597D32A421060079A3EF28,SHA256=AF2A2A080AA821C6CB47031B94BBC6372A36BE8A37B8327F0937DB04A8C00C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090478Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:24.272{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEBCDDEA1E7913169D1053D46FDD26C,SHA256=39027282DD1F2A057CA7A34CC6CD456F7B0965AB25638661792CA3AF6D29C040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090481Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:25.756{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30C82D5812B44BCAB307E06A77D231E,SHA256=915C2D6316C268892770B5808E908864DDD10FF9427CBCA21AD781BF076E56BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101145Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.929{3A00444C-7715-6086-0F00-00000000BC01}2962080C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101144Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.929{3A00444C-7715-6086-0F00-00000000BC01}2962080C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101143Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.001{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57465-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 354300x8000000000000000101142Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.001{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57465-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 23542300x8000000000000000101141Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E8513CBCA6341005B8460EE7F781AF,SHA256=F30A7868136EB0E39F10D82A42AC5A7E1E49390A8ADBDE5D3053D881661D951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101140Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C141371D911FA33DA911FB23426106D6,SHA256=4D5BC7DBBE6E995832DEA228F03A5589AA3D413DF445A8215FD73E685E9C5D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101139Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.266{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1968916F92A9593185D2D823BC5624,SHA256=E50B0DE175B514D68382D6442A4349A9E22C132A5B818D0B8E0529A6ACD0037F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090480Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:25.475{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DCE3C89CD7711A6C44A9554C3731DC6,SHA256=D8AFF0C81244B8FFD59C928138B832219121A6E2538D3A8E587C2C366300977E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090482Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:26.772{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E67C920C5F06CA45C91579BF96D5427,SHA256=D20244B690A2E14222409223A5CD7A3D0F6A1ADE28BD0C44DFB4EB24125E7051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101147Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:26.297{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A177C531857767FE9EE41AD44CB7178,SHA256=5A4654EE583C6672ED3DC54CE17E3502C67EF285ED4D9F8506617023F6F3FC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101146Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:26.246{3A00444C-7715-6086-1200-00000000BC01}612NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=04DA994F8F87B7360BD62C1A9640FB07,SHA256=A0BA5F76D40BEAD3E969ABE9B605DE4D4A86476F16DD4E0A050098AE7666DB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090484Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:27.850{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9114D852607E5A14AD120B534EA563F,SHA256=AC7D32D8EB022B3AA7083C300DC03B19F5135740E1532CBF7392FF14E29DD701,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000101158Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000101157Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00495909) 13241300x8000000000000000101156Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x632e176a) 13241300x8000000000000000101155Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xc4f27f6a) 13241300x8000000000000000101154Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x26b6e76a) 13241300x8000000000000000101153Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000101152Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00495909) 13241300x8000000000000000101151Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x632e176a) 13241300x8000000000000000101150Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xc4f27f6a) 13241300x8000000000000000101149Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x26b6e76a) 23542300x8000000000000000101148Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:27.298{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13457038F77953B3C081D819A13C4FB,SHA256=B0B58005446E9AA6C4C9B896F4BFB5138D4EEF0A403E83637F247ED1FFE72FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090483Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:27.022{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE633FEB2739712DD94D1ABC3F5E440,SHA256=8C9A18237FF97D13AC0446D990D60D11328F8235D988D0A241C183439E6BE2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090486Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:28.866{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578E25947D980DFF7DD6EC4CA8CBFDA4,SHA256=4E4B766AC8A6B7105D52BCE43668CA0D0BE2D0F448BF0AF8642EB4F383279C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101159Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:28.329{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0A9DAA796821542934BA5AF212BBB9,SHA256=EA8E45086D5E71EA49017553AFBDA51022FFEF373E6DFB8CAA1AFDBD773E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090485Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:28.194{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B455C556C5324C8793763354AAFEF74,SHA256=20ECA5289E7E0F8E8F418E237A000D47BA55C77A77D49658FF71A4D705E8F461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090489Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:29.881{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0772FC2F1E927FBEAA411F20949C5D,SHA256=CA1D3097924631E1283F6F96974DAADA434E2D53497BA06A9E946AC49E182708,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101161Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:26.701{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57466-false10.0.1.12-8000- 23542300x8000000000000000101160Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:29.359{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBB7E31423874C124C4D86D202E6C8C,SHA256=5CA5F8B2D010A9D9942A17A060FC83CC779285CE606C5F3E1302A0A073522BC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090488Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:27.919{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50717-false10.0.1.12-8000- 23542300x800000000000000090487Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:29.225{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B241E9E1C7C4B236D40E57279CAF3D4,SHA256=30F34E90E02E43774DC40316CAAF8D163CBFA516B4BDA53CE7234BA5E6796D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090491Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:30.944{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62001D5647FE8AE4D9588CE45427564E,SHA256=3A6A67C0ECF0E071C5A05CA5E30775283D720C8B1A49622BCFD921B538D24130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101162Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:30.365{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711EB2FA632A3B7FA35CE93A624ECBC8,SHA256=EB7E568FB977FA1ABA404A7254F743FCB40858276226CAB99B9BC01B29D7FD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090490Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:30.381{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D083022D0EFC1C0F2CB42DC53D895157,SHA256=8D1751FAC7409CE44730B79DA06C7B0550420F60E0F0001951274F8F7ACF68AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090493Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:31.991{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719E1B5A5204CCD59E0E558EFC420C70,SHA256=E52B969D169A20A964FA80304D69B5C5569BAF5A6D019EEDFBCFF2322E5F2295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101163Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:31.366{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953299FBBB02F9E7648C2976256D72FC,SHA256=028E99148C6175D5D26669BA070139BD3F8836059FD6FFED2A6986381C1F630B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090492Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:31.694{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BA888AD4B1D013D0A167A4D4388CD9,SHA256=3ED3D855F9FDAA142AE442D6D2A432B90C82DCEBE44DFF40A4B4468A848C2244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101164Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:32.367{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4930BCEE040A6408DEEA20C2CB1BA0,SHA256=D632B96FC7C28037CB96F7046D37F28C1067D9B5C60FA45A9189F7DA855506D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101166Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:31.749{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57467-false10.0.1.12-8000- 23542300x8000000000000000101165Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:33.412{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB823FC3166D4E06EE32CDAD0844CD06,SHA256=14A59D53D234B620814196F4B66B5BFF8C9C117CC45A4986DC1086D21EFD626D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090495Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:33.163{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92EEA238893AF1A1CB07B4895427EB4C,SHA256=2966549F06703249CF6D012C0AE0E8362D2FE57F0F86E752CCC9B750BEC1A320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090494Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:33.069{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D062B0888DD0B681AE08F0E3531384F9,SHA256=2BA05E84D10D90857E1E592893A174D208770C28D3CFBFA3F2B632C762E157BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101167Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:34.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E6996C3C1512DAEE5DBFD21730214D,SHA256=17D0A29E949FC9712C67E40D0BF0A6136944F6C3D9C3793F53C2B3E7EAE86FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090497Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:34.272{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E7628EE1FD5B206EC7C70AD0DB62275,SHA256=3DA97AB264B2C1FA824540052EB34653CCFA86D410C673D700BFFB0378117D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090496Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:34.100{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508363597B095A114BFE042C15AFEF70,SHA256=AF4D283CEFA7CFA8914C16D7EDB328B24C9764A35229A936AB23DE0EABE0A5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101168Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:35.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD34D35967761BF645EEB7A3C0619846,SHA256=D3E92368E7628B37C0752219C581FAC996E3318DEBB205BD9D88139683877D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090499Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:35.397{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7DC56CBFAB8C1169A0E94E541F7AED3,SHA256=6182AA2A440873A5EBA4F48EF9FA39E9A1B0A85D753B396FDB9ED53496C8638F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090498Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:35.178{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDD7F4BFE3695FF32301D39E9AA6D5B,SHA256=BB589A949C3224BC3A0BE64EC13850E04E4DF8DA3C8AC8A33708BCF8E710E52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101232Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.613{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBCEDEAC63ABEECFE2ED76024E079BD,SHA256=B030EDB7E65C252BE3B140034BC45AB5E391A914393C7C47FC6C79FCFB006033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101231Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0F00-00000000BC01}2963100C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101230Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0F00-00000000BC01}2961324C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101229Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101228Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-84ED-6086-3F02-00000000BC01}1328908C:\Windows\system32\csrss.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101227Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101226Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101225Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101224Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101223Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101222Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101221Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000101220Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000101219Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101218Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101217Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324328C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101216Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324328C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101215Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101214Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101213Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.549{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101212Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.549{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101211Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.547{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101210Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101209Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8361140C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101208Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8361140C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101207Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8361140C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101206Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101205Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101204Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101203Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101202Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-84F0-6086-5002-00000000BC01}47324288C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101201Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-84F0-6086-5002-00000000BC01}47324288C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000090502Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:36.538{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E59360C236AA6930E44C9C539BBDC7,SHA256=E6EBBC775CD50EF183018F6F7CC9AE812309C23156F0AD7B923664DBA6921DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090501Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:36.288{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F1BB47569A7D837D77ED0AE9C9CF86,SHA256=8F9A3DFC001510CB68244D4DC5F56C08BA233A560C4CF7D94EFCA37B611F7547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101200Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.149{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E893B67E68D3ECCF776F76353C2A959,SHA256=882F11F90A8272393D3C880FC5E5655784594D6775A1642687F582B547FB3742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101199Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.148{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E8513CBCA6341005B8460EE7F781AF,SHA256=F30A7868136EB0E39F10D82A42AC5A7E1E49390A8ADBDE5D3053D881661D951C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101198Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101197Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101196Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101195Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101194Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101193Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101192Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101191Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101190Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101189Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101188Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101187Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101186Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101185Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101184Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101183Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101182Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101181Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101180Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101179Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101178Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101177Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101176Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101175Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101174Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101173Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101172Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101171Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101170Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101169Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000090500Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:33.919{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50718-false10.0.1.12-8000- 23542300x800000000000000090504Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:37.694{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B67D0D63C34135A33C55925D8E5763E,SHA256=81E139C5BB49C5F9BCBA985B76D98CC489D233DB61C788DF8F95A319C1322184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090503Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:37.319{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3C4B5CCC3FD490C5BE5F64C53890B8,SHA256=999F69F262D3C6128F150B44535C17B1E4ACBA479BFD494A1B32F5D822897554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101254Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101253Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101252Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101251Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101250Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101249Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101248Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.947{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101247Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.947{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101246Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84F1-6086-5302-00000000BC01}5076ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4R6QX44A\microsoft.windows[1].xmlMD5=5BF5DBE4A9A4B41A837FE30805AE4274,SHA256=2B49D9E8E8042CBC91DF3CDFFDD399622AFFF06E75EE787D3D717F5195595192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101245Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101244Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101243Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101242Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101241Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101240Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101239Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101238Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101237Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.782{3A00444C-84F1-6086-5302-00000000BC01}5076ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4R6QX44A\microsoft.windows[1].xmlMD5=357AA2A9FD6F03F64128266CED769B3E,SHA256=1BDA7D217947C3F371457666A90878A6429A892C81B3B665B6B3DE1173F19738,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101236Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.782{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101235Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.782{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000101234Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.766{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AA5D08B77BF1C6C75BA7F302218607,SHA256=39F9AC46F66172C31F13F67283015A8771584EDC13D573BB3C063291037B03DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101233Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.766{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E893B67E68D3ECCF776F76353C2A959,SHA256=882F11F90A8272393D3C880FC5E5655784594D6775A1642687F582B547FB3742,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101281Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.800{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57468-false10.0.1.12-8000- 23542300x8000000000000000101280Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.782{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4375A8A69D54767130E015A7F366E1F1,SHA256=E11A5FAA1DCC1D78F467A754C2356D67747751610520FB12885F274DC7D70C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090506Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:38.882{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAED26BCF168B10D11193419C10188BD,SHA256=B74E90B3D718678AFD3C118F2D9A1C652D102258DF96D504922B342A6A1B6BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090505Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:38.507{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B26BD6E975B1F0D07426C97148BABE,SHA256=00590D3378AD0C8D231B3D6B5505B45779EA9744851BF79C88DACC5E69C5917A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101279Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41125428C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101278Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41125428C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101277Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101276Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101275Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101274Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101273Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101272Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101271Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.366{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6396878920AB091674B6FADD6BA284,SHA256=41A36C04A1F0B858FC4206E1F1288936963F5B3E750DD683FDEC23F75D4E2F68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101270Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101269Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101268Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101267Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101266Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101265Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101264Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101263Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101262Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101261Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101260Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101259Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101258Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101257Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101256Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101255Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101282Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:39.782{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C7E7EB397595C273B10EC4BB45A2B8,SHA256=7DEB0F1654716712FC2E046857142A104FCA3BF40074C4AF818035FC589A5E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090508Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:39.991{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46A4F2E41DFE12F24C15F43B14F1B02B,SHA256=E32F4DF890CD59D3AF240736C1301B8BE55DC6900C59147EA785BB5682372C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090507Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:39.554{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164896AC8ECCEA0A7714B3FD3A27CD29,SHA256=A98E1F6E90959EC50B08694E1F465CF76D9E17D289D37790397BD4709969B9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101283Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:40.814{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754578E206381BA9DB5064AD9FEEC161,SHA256=A4B79263964E447968C92E82A13F4C0908DD418D955609CA71E47925F48CA63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090509Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:40.632{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4068E99EDC53B768DD44E894CAC2F3,SHA256=45E0120909BD6B037707F46D30F50E6FCD2FA0D602182AE317D1E9C20267F9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090512Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:41.679{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F62A8242C8241F666D942FA155C5A9,SHA256=CDD92411421BFC04E707AC2313A420316B4C5F17D90C370194D03C6CF2985A9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101325Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.967{3A00444C-7715-6086-0F00-00000000BC01}2963100C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101324Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.967{3A00444C-7715-6086-0F00-00000000BC01}2961324C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101323Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101322Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101321Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101320Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101319Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84ED-6086-3F02-00000000BC01}1328908C:\Windows\system32\csrss.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101318Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84EF-6086-4602-00000000BC01}41126152C:\Windows\System32\RuntimeBroker.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80256|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\windows.storage.dll+2d1b2|C:\Windows\System32\windows.storage.dll+2cea9|C:\Windows\System32\windows.storage.dll+2cd7f|C:\Windows\System32\SHELL32.dll+80256|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+1740bf 154100x8000000000000000101317Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.959{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe10.0.14393.4046 (rs1_release.201028-1803)Windows PowerShell ISEMicrosoft® Windows® Operating SystemMicrosoft Corporationpowershell_ise.EXE"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{3A00444C-84EE-6086-9FDC-170000000000}0x17dc9f2HighMD5=FEBDA520271B683CD518B3425EC585D4,SHA256=8CFAC3F204DF864A5E9D9E20A4E7D4D70CB30A146661D0F7447A927BE74F7F04,IMPHASH=00000000000000000000000000000000{3A00444C-84EF-6086-4602-00000000BC01}4112C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x8000000000000000101316Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101315Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101314Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.914{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101313Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.914{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101312Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101311Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47327080C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101310Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47327080C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101309Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101308Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101307Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101306Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101305Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101304Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121944C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2285|C:\Windows\System32\SharedStartModel.dll+b2801|C:\Windows\system32\windows.cortana.Desktop.dll+a80e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 10341000x8000000000000000101303Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101302Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101301Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101300Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101299Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101298Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101297Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101296Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101295Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.814{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3357164DB12D37E85E7530E080B155,SHA256=10142F5430432714BFDBDF3F21775C78FD854F1AC98DAB3BDB81A07901CDBE22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101294Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.228{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101293Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.228{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101292Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-84EF-6086-4602-00000000BC01}41121944C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2a24|C:\Windows\System32\SharedStartModel.dll+b2fab|C:\Windows\system32\windows.cortana.Desktop.dll+a274|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 10341000x8000000000000000101291Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101290Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101289Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101288Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101287Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101286Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101285Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101284Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x800000000000000090511Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:38.997{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50719-false10.0.1.12-8000- 23542300x800000000000000090510Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:41.226{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF2307481D593A106FA4B4E44619D411,SHA256=A0B1C2B5F52D19EA25C453CEC219F69D8A36DF2D2AC293D15178F3EDB8A77010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101353Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.988{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101352Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.987{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101351Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.986{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101350Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.986{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101349Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.967{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388CE36C36A2DDE30065D91A17E5A9A4,SHA256=F8F42FADE001A5F0FAD9AC1E04D1C46493A47BAB4DF69A46D6DA92CE8A82D123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101348Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.966{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86B1178F17B644DF03383B3F773A9103,SHA256=3903821B9584B002FD8375F8395AF15B79215FADB67C0C62B2B0EE81E6F3D693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101347Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.965{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D1B14E24DA440832424EA9771FC625,SHA256=7632FF02F4C609A5DA6DAD46AEC73F6B198F0AEFEC84FCA516915996412C398F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101346Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.848{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074731EF6FDE9BEC37B45575DCA05A20,SHA256=75A34CBDE5209D9B5367E46CC8188F379E61C77E054EDA6D370B3760A888FD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090514Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:42.710{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03170723BB53FDD9B3E87B84BCFAE464,SHA256=43DDE7F3985945B4BC5A441B2A8CF3CBA1E12DC10E81842D371463FA4495D686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090513Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:42.460{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F64B0001DD5F12D16A302E88C5F265B1,SHA256=807E10A28EA7F2D59C0D17E617E20CF1E18995834CA3CC3B4972E97540A0E44A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000101345Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-CreatePipe2021-04-26 09:37:42.796{3A00444C-89E5-6086-0903-00000000BC01}1388\PSHost.132639034619594029.1388.DefaultAppDomain.powershell_iseC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe 23542300x8000000000000000101344Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.790{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jmw3xxjx.2nn.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101343Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.790{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2hlfj3ao.xd1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101342Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.783{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2hlfj3ao.xd1.ps12021-04-26 09:37:42.783 23542300x8000000000000000101341Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.761{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\WPF\xqoy0ocr.ua3MD5=F04A2805F60770668268454EDFC499FA,SHA256=AB3A68D162953659E8C02DBD5C13121DF9DB824D404824450FD38134E32F5ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101340Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.693{3A00444C-7713-6086-0B00-00000000BC01}624796C:\Windows\system32\lsass.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101339Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.693{3A00444C-7713-6086-0B00-00000000BC01}624796C:\Windows\system32\lsass.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101338Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.675{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-1563636\PowerShellISEPipeName_1_c000c3e9-3089-4ae4-9576-0a20b58732d7MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000101337Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-CreatePipe2021-04-26 09:37:42.675{3A00444C-89E5-6086-0903-00000000BC01}1388\PowerShellISEPipeName_1_c000c3e9-3089-4ae4-9576-0a20b58732d7C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe 23542300x8000000000000000101336Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.329{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D3B5034896445145F80B505E6D3FAC,SHA256=B8F86AC6F55FCFF859F374374769A574D99F12EC74852FB2B076A91871B0CB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101335Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.234{3A00444C-7715-6086-1100-00000000BC01}4761724C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101334Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.229{3A00444C-84EF-6086-4A02-00000000BC01}42924496C:\Windows\system32\taskhostw.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101333Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.229{3A00444C-84EF-6086-4A02-00000000BC01}42924496C:\Windows\system32\taskhostw.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101332Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.216{3A00444C-7715-6086-1100-00000000BC01}4761724C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101331Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.215{3A00444C-7715-6086-1100-00000000BC01}4761724C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101330Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101329Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101328Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101327Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101326Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.998{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101360Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.864{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1E4F9F98E5042FCFE58D2E7890C405,SHA256=ACF9D8BDDF907FEC7BBBEBBFDF0F51B93AB1DCB8DDA1F29B2ACB941590D5C49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090516Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:43.960{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D966E2FD3110CBE17B85C3F93386C7,SHA256=BD90DC0764D1F575A0A8ACF1C20EACF6E4BFF887CFF403B5D11BB82335F904EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090515Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:43.726{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A64DF3927CACBE73FCFC410AB27C580,SHA256=E26C6EB703F93E8070486966BB1EBBF18136D2AA3F121DD3DFCAB86C5DBCC281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101359Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+133d4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101358Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+133d4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101357Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84EF-6086-4A02-00000000BC01}42924496C:\Windows\system32\taskhostw.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101356Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101355Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101354Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.072{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101368Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.877{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78D512287E52175B0F9427074B6184A,SHA256=1A2D807DE8E0C485418740A0C59F47FD90B941198128F4A1D7A927E18D8876B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090528Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:44.757{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BABB4BF3B5B6F57FB39082EAF22C575,SHA256=38DCCD7B092201C9D04FDF1B46D9BAB0A8EFD7B7569CFBDACA619943E8BB52ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101367Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D74203985DED4ADDC7D0213E02F3D65E,SHA256=EE18864F09F2D999714B4FC277BE14E226545E00F0BBCAA23E22277CA5089563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101366Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101365Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101364Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101363Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101362Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101361Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.814{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57469-false10.0.1.12-8000- 23542300x800000000000000090527Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:44.304{98176BC8-7727-6086-1200-00000000BC01}1096NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9CD98101F5FF262DAFE341EE77ACAFB3,SHA256=E4D4ABE3062FA70E4729B306EAEA273048FE11187476A3A2F64492960BB742D8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000090526Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000090525Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049875d) 13241300x800000000000000090524Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x6d0bc5d1) 13241300x800000000000000090523Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xced02dd1) 13241300x800000000000000090522Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x309495d1) 13241300x800000000000000090521Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000090520Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049875d) 13241300x800000000000000090519Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x6d0bc5d1) 13241300x800000000000000090518Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xced02dd1) 13241300x800000000000000090517Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x309495d1) 23542300x8000000000000000101369Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:45.890{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624923D9D6809AC7BE71C7352320213A,SHA256=C0E7EB5F25F1F4FB3A291515856D7705FECADFE83D31803611720E9617C69E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090530Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:45.773{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886D7463C9C70CF166B597BEE710B949,SHA256=C5D3F7BBC33274AE3CD87B7E592D55C74B6D38D1FD21860EBC25351DF1A720A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090529Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:45.148{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4FFF3238A9A298C0E9D2FA938412112,SHA256=ECDC151D6BB4BCE76428C9684426C319FD6CF43FA73CCA9D90016B06F7C8AEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101370Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:46.916{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FECF6B19E2BDC121187B9476F39FB31,SHA256=463A26338E929D4199EDC034F8011695270BB98A1F44E2533D989544C46197E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090533Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:46.820{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D8CAE0B76E66C4C57239803B8D8A2A,SHA256=19AA97DBDD16BBFC24BDD859513327C6F7107FA62DA3BF4CF6BDC875EB691574,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090532Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:44.997{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50720-false10.0.1.12-8000- 23542300x800000000000000090531Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:46.273{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074664F4E5F1F6BF02212CEE4D11B998,SHA256=C1DDA100E7216A0D06ECDCBF33467BE730B9C00D4EF09397B8E3D651676E77F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101380Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.922{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8F339B679718B147798B42A79A9FEE,SHA256=7D83E5F9634178946C4CC088B60308265F4B7FC99D55007184486653F43BA230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090535Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:47.820{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F9D74A4FB648CF8127004AB1948F3F,SHA256=D822FEA05C54A2FC2CBEEA3288EFEF8D05918A3951F690378B608491EDCA3481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101379Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.328{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101378Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.328{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101377Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101376Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101375Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101374Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-84EF-6086-4702-00000000BC01}42084596C:\Windows\system32\sihost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101373Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.170{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101372Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.170{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101371Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.170{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000090534Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:47.523{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3D80990C5545C7A46107EE7636DCBC,SHA256=8E7676BAF87EF2730E756998AD1E9C247529E3926A0067DB70F15A07654124B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101382Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:48.934{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9207D26C6972F67F170F4461C49540A1,SHA256=CD110E9A6658D97894F86B703866BA3292F5748FA46A1958DC17624C66EBFA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090536Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:48.835{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930AF79CF95E3775AC3D03C39F97A499,SHA256=9CF67EC6A32A19CA91CE9993701BA20923DFEEBD8DE636B175C42DC89CD5E029,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101381Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:45.887{3A00444C-7725-6086-2D00-00000000BC01}340C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local62475- 23542300x800000000000000090538Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:49.882{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2757795347EE2B687C4354C3882C4142,SHA256=DFCBE158FA70CD2D8B3B8A67AB87827CF2746345C98928237F2AEDDAB184FB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101383Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:49.994{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15A951549359A55EFB77ABD2106BF33,SHA256=AC8D1A1DED05A985BA1E263D33B8AAFA95AD3A3BA39191432820710989668537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090537Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:49.023{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E3E067EE7A268F863A6325864098742,SHA256=5A357BEA997F4AE4A237D0E9C0FE81CB17BBEC216402477AA7C87A2E32A8AC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090540Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:50.898{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4C35B55484AE196B3DCEFFFCC81FC4,SHA256=313F4892011DF1AC9BB81EDF5558E563C7B07F30AF8E06F623F629EE9ECD90DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090539Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:50.179{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC3AC1A26CCDCA1449EA3CC62ECBC607,SHA256=A182CBE2DCC7CE520D932DE96F41C1F876EF9C9BB47A70B71922146F4761FE3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101384Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.792{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57470-false10.0.1.12-8000- 23542300x800000000000000090542Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:51.914{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5E1A7D66F88331557B36443D1D2BA5,SHA256=5FC58D95D77DD4AB06544E420389D45AABEFED6BDB916AF4830FA389EFFBFD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101385Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:51.007{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183384C7BAAC14AD425CC3EE2F4DE466,SHA256=0EECC61946444B8FD5E9DE9737C60E383D836116EB05A63913E4D17D364AFA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090541Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:51.226{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC0A622071B4688A648FCB2E14FA6F97,SHA256=2496D8CB08FAEC04AF63C3328F08CE9EB2E7DBCB4EDC0E4FB7539DF082D19D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090545Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:52.929{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D901570BE3440DE4222485F533DBB6,SHA256=ADF07DAFDF5F071F7B134795F982ED533AF552D33F2A99435D7F14A1F00CFEA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101401Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.950{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101400Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.949{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101399Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.949{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101398Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101397Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101396Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101395Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101394Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101393Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.903{3A00444C-7725-6086-2C00-00000000BC01}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101392Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.056{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=F6E55EBE745A774BC878F7290F9E658A,SHA256=E92D7E83538E4D52B3458EEB762A9AD28C34E2DE72006DA6FCDA8581E5052BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101391Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.055{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=1A7E0C577B6BA6460C3B64D26687B51E,SHA256=836BF67A841A3246B659A46B14A6928BF41A5DBC7A5B5B09ED91AD889E61BA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101390Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.054{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=B671D6C8C9F24CAA942CDA1A5A390C20,SHA256=EA4C5631BE9C4958F42EC7DF1D62F89223130FEEC829278D3BE761006C5DB5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101389Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.053{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=CEB8783DC69C7AC7044297941CCFDF4A,SHA256=59C938E07A4DF6353A694913C9D7AF7525CD0CCE373545F213FF1D70B3ECCDE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101388Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.051{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=48B0104C2CC002EB71849C0EA6FB9453,SHA256=6D3DA70C4EA16799EDE7052D45C97AED2FE80BD8582438C905F73357ED4DB884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101387Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.050{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=B30D3C94A954A915FCBD52323E862D75,SHA256=577A946F4CC459B2D4F2987A4E81D690668FC50372B5F9D34E736A1C7F719126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101386Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.023{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E6F1E589660249D167F3FBC7463C6,SHA256=E85A68EBDAEAC89CBFB8CDA1A90C2499DED0DA320F20BCAEA1C293B03DED3A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090544Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:52.445{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECAEB2C39E54E613D73B3234D4526F17,SHA256=A05D0D2B2932B5F617135FD8143C460EE61A8EF738715F918646D038DB8122E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090543Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:50.028{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50721-false10.0.1.12-8000- 23542300x800000000000000090547Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:53.945{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BF05A02EEC94692A54EB4EFB27EB3D,SHA256=36F88FC110D1D00CA7892B2B9A8879A11730D97E92A63F13B8694E42E5E503CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090546Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:53.742{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CF3C163474F50DA8FD329B568C662F,SHA256=AE57731443385803F60C97942A23F9EFD0C5C35072DD069956E60069ECB00D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101413Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.966{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEB7DD27836B193C43C6C56F2C1E6C7,SHA256=DCC760228F7DDB345743936F248DC9736EAA5B2BA3BA2D68B8AC189E8D5A2298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101412Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.965{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388CE36C36A2DDE30065D91A17E5A9A4,SHA256=F8F42FADE001A5F0FAD9AC1E04D1C46493A47BAB4DF69A46D6DA92CE8A82D123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101411Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.639{3A00444C-89F1-6086-0B03-00000000BC01}8446420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101410Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.498{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101409Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101408Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101407Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101406Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101405Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.496{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101404Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.496{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101403Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.496{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101402Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.039{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8301DF09638D394333A121EE5988983A,SHA256=CB29585CDEAFE24EA11283E2968363AD3E44C9319B926888E9B4038E8066C58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090561Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253EF2ABF8755CE183FC50940ACF08F3,SHA256=EEEF6A5377A4899A4CFB393754701FC4A63D5C219F3BF49423A844DD8826547D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090560Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090559Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090558Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090557Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090556Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090555Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090554Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090553Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090552Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090551Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090550Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090549Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090548Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101423Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.077{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101422Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101421Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101420Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101419Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101418Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.074{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101417Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.074{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101416Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.074{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101415Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.500{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57471-false10.0.1.12-8089- 23542300x8000000000000000101414Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.048{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE3D1B28D76DC09A5A73C5331818DE1,SHA256=43442D1A4024D034EC29C66B46BBFE72F3305BBCAD564AA7010B04C061D7824F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090577Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.758{98176BC8-89F3-6086-C902-00000000BC01}27364076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090576Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090575Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090574Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090573Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090572Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090571Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090570Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090569Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090568Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090567Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090566Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090565Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090564Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090563Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.492{98176BC8-7727-6086-1E00-00000000BC01}2120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090562Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.164{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=051F4E8DE9465F3FA02F81A1ABE8950A,SHA256=8A1922A879A973B7B842A66EA65A1E2AB22BF3CC46EC70BB4AACD93EB542B26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101425Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.081{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEB7DD27836B193C43C6C56F2C1E6C7,SHA256=DCC760228F7DDB345743936F248DC9736EAA5B2BA3BA2D68B8AC189E8D5A2298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101424Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.067{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E30FD02EC09CF8986EE83BAF5CDCA89,SHA256=6CA9731C0CBD14DF29EF316D536B9BA5ACC31F2662F6F9446F4377CAA9C65EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090592Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.429{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE9F6B705A96FBE4E16DC37C839AB584,SHA256=6D0C01C4FEBF44511F887744EB0D821DC6E8A672961BD12F04B67937647FC3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090591Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.429{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D786C7C99C676BA748151AA8A4ED3B,SHA256=19A84B477BFD27D09D5F70D542F5880466A2EDA7B6E1F9EF41532AE99E633347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090590Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090589Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090588Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090587Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090586Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090585Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090584Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090583Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090582Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090581Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090580Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7725-6086-0500-00000000BC01}628744C:\Windows\system32\csrss.exe{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090579Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090578Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.305{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101437Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.719{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D0001AA4D2BE06FE839DF84C93265D,SHA256=E4FA1BE66A2619495D0D99296B3AE9D324530A11C759342140E956FBCB4C098B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101436Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.536{3A00444C-89F4-6086-0D03-00000000BC01}50366572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101435Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.398{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101434Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.396{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101433Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.396{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101432Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.396{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101431Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101430Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101429Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101428Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101427Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.829{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57472-false10.0.1.12-8000- 23542300x8000000000000000101426Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.072{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2CDA696EB90A7325BD95294E1BDF4D,SHA256=8E1AC590BA9BFA23E0E6EA9BFD852FE6157404B6D73A13E7344EBF035571A745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090609Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.945{98176BC8-89F5-6086-CB02-00000000BC01}21522204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090608Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090607Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090606Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090605Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090604Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090603Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090602Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090601Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090600Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090599Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090598Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7725-6086-0500-00000000BC01}628744C:\Windows\system32\csrss.exe{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090597Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090596Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.821{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090595Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.445{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B27EE74885E22D9521A6C7BA56D1C4,SHA256=47CA0D25E52F4FCF561FEF1730A877B59B19D61757D033BB2164A9B35DFA7D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090594Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.383{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8FFA3AFEBBC222F6FD0E0F92424008,SHA256=F75AB3DD64EAC8DCA9AF6C2E95CA981A7E185A6D65A8DAD0D365DDEDBE858513,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101449Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.198{3A00444C-89F5-6086-0E03-00000000BC01}71201016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101448Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.301{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57473-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 354300x8000000000000000101447Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.301{3A00444C-7725-6086-2800-00000000BC01}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57473-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 23542300x8000000000000000101446Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.128{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF788F8CB2E789164F5B074899CB5087,SHA256=E700556D292101FDE969DF4D8F52539D92381C2953807749342E0B6AF37E2F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090593Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.293{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50722-false10.0.1.12-8089- 10341000x8000000000000000101445Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.059{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101444Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101443Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101442Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101441Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101440Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.056{3A00444C-7713-6086-0500-00000000BC01}408384C:\Windows\system32\csrss.exe{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101439Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.056{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101438Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.056{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090626Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.633{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603A2E4921AF6F7982435B6FBF1282A1,SHA256=4D9C8CA71E1AD61B8F08FC8E45D45B1160AF78E802EEAE0FF25BBEB403A18C16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090625Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.633{98176BC8-89F6-6086-CC02-00000000BC01}3844220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090624Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090623Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090622Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090621Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090620Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090619Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090618Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090617Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090616Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090615Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090614Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090613Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090612Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.493{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090611Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.461{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACFC2FF8AC1C7CFC55F4AF95ADE9AEC,SHA256=90C8DC4FF631FE897290B553B61BD4C63854EFCC0E4BA27FB69B742E671DB480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101462Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.675{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101461Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.675{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101460Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.212{3A00444C-89F6-6086-0F03-00000000BC01}61646500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101459Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.134{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67BAC5A89CDBBFB8E44018085F2B183,SHA256=2C5A81679F39F9CFB93EB2001F96E3176E67EC512740C6087148EA143D77A676,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090610Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.043{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50723-false10.0.1.12-8000- 23542300x8000000000000000101458Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.070{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B43DCD8B1F30C6D288C419DBDC030B,SHA256=D613EFCCF7F5E9A61788D16A1604B1B6C3B19769F72F568E7F67635A64F70CE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101457Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.040{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101456Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101455Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101454Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101453Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101452Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101451Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.038{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101450Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.038{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090642Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.851{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDE29C2986E4BE4FBA085A1C834AE5B3,SHA256=1D92E34C16F5D33A68BB43690D2730B67AEAEF2DF1B86137B58DFC63B5CCF78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090641Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.851{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6520EEB85D85BEAD41C8CFECAD269A3E,SHA256=AF692F735DC254D6623A0F84AF4A092F656FD08C5E3DDB4080A28B32A0B70910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101464Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:59.415{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93B727024C95FD37F8AA537040E293CF,SHA256=F56C2C9523F9C6B2181BB3593144BC4198738E8A5E80B491725999D429B439F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101463Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:59.150{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB1D5DFFD9492C8BD4ADE3B2038BB24,SHA256=355026D571A7742F277A07B59DEAC3287AFBD2E99C569ED842846A5ACE1BA036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090640Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.289{98176BC8-89F7-6086-CD02-00000000BC01}25283592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090639Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090638Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090637Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090636Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090635Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090634Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090633Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090632Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090631Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090630Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090629Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090628Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090627Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.165{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101473Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.151{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C448B00604897D3952BE15B6507BA,SHA256=6FA94876E4FFBDCCCD6A0BB6AA199EAFC690C48A545F0EE09BF235807E7C8A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090656Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090655Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090654Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090653Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090652Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090651Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090650Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090649Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090648Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090647Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090646Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090645Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090644Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.993{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090643Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.930{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CA68DBD88321A5C10A1B6DC6DEC885C,SHA256=D42C4C9CD46B16863824308EE75DC4F6328EF8459201C8726D609E7B4A8B1E38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101472Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101471Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101470Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101469Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101468Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101467Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101466Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101465Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101475Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.153{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3BBFD642036FEC38AA2D62D4467C23,SHA256=7BDB3BBB1FDE9FF17FDCCA31AEFE46AD09B77D475EA942A549E4D582077517F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090657Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:01.008{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0842CDE593F3548855ABF119357C4C1,SHA256=EA93AF9359C9833DFF64C002F3922B044E3128DCB7E6C869B03AD6EF3994929D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101474Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.084{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F838F0BB5187B5D93E53DF483D8582,SHA256=6A9DDA9D37A3A41358B265432DB7CEB5A21D8621253A40E212990BA374C00943,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000101480Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:38:02.388{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000101479Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:38:02.388{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\8F43AA77-39F2-4006-8A7C-B722E72673C8\Config SourceDWORD (0x00000001) 13241300x8000000000000000101478Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:38:02.388{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\8F43AA77-39F2-4006-8A7C-B722E72673C8\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_8F43AA77-39F2-4006-8A7C-B722E72673C8.XML 354300x8000000000000000101477Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:59.832{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57474-false10.0.1.12-8000- 23542300x8000000000000000101476Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.156{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE15899B1A1747DF72A169DB9DF20851,SHA256=F19D77E2EAF1C7941B9A4D90B46285A54EF8569C5E6C1FC10A918B96A665DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090659Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:02.023{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D48D2DE3F6BBB14361697D9865BA832,SHA256=21C1ACE6085A34C1618B66FED703E2E048E19D062E6B201B9D9E5BFFA7046DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090658Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:02.008{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E51F13CC44FB57C080D79E5E8D1AB37E,SHA256=985F1D18E4D185BCE557816D8854BCB7F50FC08534D9BC4EE0B627739049A0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101482Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:03.422{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C87D081DAFCB375C75FEEAC86951CDED,SHA256=B56097C8E93CA8B38A83E4BC41F73C78BCB63EDE1D4F2612A1437C48843A840F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101481Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:03.174{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3496E2F9F02A06F835D0505B875EE0,SHA256=EFE8D8A30FE4A71BD08F22AE594303A525DB7C879AEE335F0A002FF3627D50DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090662Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:01.840{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50724-false10.0.1.12-8000- 23542300x800000000000000090661Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:03.086{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3857FA245AF2D9A0133D0E53418DE1A4,SHA256=239780C88BB5A33BFA4C4005E3898AE9B4CFD5FFAE608EB8F8B3951E55D8778E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090660Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:03.039{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD36D693FD3F1F4A6EC738AAC91FDD34,SHA256=2030CD42468BC11BF0F90889A63FDAB7ED227817B409AFDCF39684E7491A3B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090664Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:04.414{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77AD18852E4E33DF318BB64A94CC05CD,SHA256=65C8F6CBE4845AFE4409D4EB69FC1A88A60CE7707A4E2C75ACF628FE7F97EC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090663Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:04.102{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CB45562A68EFCBB42462D744DB72B9,SHA256=E8D038450AC93099A06C9FDA4161A20510523CBAEE125D41228CF0049CF0A524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101495Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=7E3581D0664BD928C1D924C805182452,SHA256=50823C452FC2ED5BCBBEF8BE6E002C3C19F7DF6BF3C029AE8EE8DB67C76D9840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101494Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=6F3B44018FCBF0F5F4D9DDF1ED29C4AE,SHA256=4CED94A1A69C372934DC130C4BB13BCF0EBA82D47F2C3B7D35FBCDFF78D30201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101493Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=CE33F4C499E994591C9188201F41E512,SHA256=E86E010D5F5BB6AC4B43B1826CE67DF4CBA311871753D51B06B7067361602C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101492Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=4408C04D5D78D5B930E4AF572FB83E09,SHA256=6A1E8F390385417AF8AB82CF529841D7F49B0608613D7825950F82A58E359E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101491Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=9A5F8055D432B795DC22288BA525B306,SHA256=06057B309E78950EE6FEF0E936C9B3D9146FAE94F1FE845F50A4730041129CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101490Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=5AED43F0AE64F35216E70A154E61A845,SHA256=5B080A12D8D2496D0BBE2311EA2967E37EE14E69F98DA4060D10EFD178B0D200,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101489Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.007{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57477-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101488Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.007{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57477-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101487Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.002{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57476-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101486Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.002{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57476-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101485Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.992{3A00444C-7715-6086-0D00-00000000BC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57475-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local135epmap 354300x8000000000000000101484Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.991{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57475-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local135epmap 23542300x8000000000000000101483Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.177{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AFBC973CC30476EE548A4C3BC98315,SHA256=FCA4BD877EE7B6AA678827149E6D184BE6E96D31FAADCB898CF053AC3FD11CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090666Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:05.451{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0783F0B1310CBFFEEA9271C7B98AFC3F,SHA256=6C90092FDD13CB8044AC3A05CE400901E1EA7E420A1E365EF3BD24D64B243E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090665Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:05.117{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3CCFEBA61E66FE54A2E72361197BC2,SHA256=2DD9A7C1F09D4BC7C46B7106F44217446252ED37A0A4DB25AE88114A9C8350C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101496Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:05.195{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D04EEDF6AF7AD19501094D6537511C,SHA256=65F1EFF9E2C85D6869DA23158F31DCCAD6D502B643251509A9B6F274DF51D7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101497Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:06.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6CB8CE39C0F0EF62057381556421A4,SHA256=978891309B9391B47692B06FE7473A9763932612AFB791B2F08901D969AA357D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090668Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:06.696{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23D8DC6C74BEC3F8407C855D2199FB85,SHA256=9463733A74EA0232CFFD9BE753BE7E397AD2826A3B4536CA136B94F143F2CA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090667Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:06.227{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47901B4ED99991F7CB1519AF3B4BDA3B,SHA256=03BBF3C580213E667B026D717456873738E51C0F032E161A412DBBC82CC07C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101498Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F8E76B167A08A3D18FF3C73A486F91,SHA256=FF7E838E20510911B454C9F3E0A8B9C0BECE296E3A62209B3BBE0594A8772056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090670Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:07.899{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A005ED0ACFE953F6D3C3503F214DC236,SHA256=C72936A274CF5E9D7C613CBA50357079D72645031E2240D78680E1396B7D1F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090669Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:07.258{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8874C7C645F91056D4E96FE80B6716C0,SHA256=455485FB0C5746F4C8852C905FF27509C3DB80CEB24B444E211F819B15044217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101501Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:08.367{3A00444C-7713-6086-0B00-00000000BC01}6241196C:\Windows\system32\lsass.exe{3A00444C-7711-6086-0100-00000000BC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000101500Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:05.847{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57478-false10.0.1.12-8000- 23542300x8000000000000000101499Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:08.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1A3F36612946F3371AB4A88ECB17D1,SHA256=F8FD5AA2E90219C88FE4E47CE6F1EB5A8F8FE89C9C5DFCD32EA375BF59220C3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090672Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:06.855{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50725-false10.0.1.12-8000- 23542300x800000000000000090671Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:08.289{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C454D40B6E1C203FCD36B878AC04348,SHA256=D9C4C7651BD18ED86D2CA4DAABF0243A51F45374F6A25F91E1E2C65CDFE22865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090674Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:09.305{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA5154A76DD816036E1F11AE60AE609,SHA256=DDE3165929FBC65333BA1C556BBB4D8DE7D9A32CEE17F326EE03974EA688C15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101512Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=914203F6E5ABB8EACB42BF85C3C32D80,SHA256=9A3AC9E29D158249BF04AA5B10AB94ABD41648672EC7C269041817647B4969C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101511Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=4358167FEB67E877439F6D01D5607DD1,SHA256=DDA7DCA4BBDD896D964D83E18F6F77E578C533CFDEF6DD020149DB19870C4A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101510Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=053AE7541CED9A1346FAAD474F853CBE,SHA256=9659BDE4ADD59575AAE3BDAD3CA37D1002E70073FDE764A7D0B0EB0EFAA7E249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101509Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=6B156E0B5624CD46D5410244B1602D9D,SHA256=044532ED598D79B382AFDCD53F3B2F9BF8F8AD60B672C482A367485F3765FAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101508Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=765934BB01768A9D4390E21AEFCC8D64,SHA256=A05F0CED8FA5A2DAB3293749E08B8696D33DEE7C582F2EF61F25DC83A9F1A61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101507Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=914EADFE8E034152BBFD724FA537212F,SHA256=155BB9CA5E96D082103F4B5C7D6B10BD493EC5E2A5236CCD123361FAD97E6E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101506Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.872{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57479-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101505Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.871{3A00444C-7715-6086-0F00-00000000BC01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57479-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 23542300x8000000000000000101504Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.313{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C51A6BF8088171E9379780D1CEC2869,SHA256=9B7F0108DD98215EB8191A3DB1C2ACC9081BFD3B049E5D4C96533ECB8E19C84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101503Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.313{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BC70721B5B46DBF992A052F429222E9,SHA256=EB7DE768C51768A8CC38F8553BF3F73B2C86BA4ED839158DDEB9767F86E77DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101502Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.230{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04B4AD884E8EA67531018463FFA1877,SHA256=288314C2DEDDCC0371470C7C12A63E379913AE6FDF3EBCF2BF1BB7D514035161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090673Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:09.039{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=539D87BA55E9BA34CA9B60B3F4E7E8A1,SHA256=1630FB50619CC372EC1E3D3487CE1B59FA8F9C2198A3C12C4358D78702C2E374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090676Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:10.493{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB689B8FFC3A632A7179789526D3A67A,SHA256=C8D112EF2BD399025E8A63C77E1A4160785AD47B89CB2C3087495E3423331451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090675Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:10.446{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378C6759C6A422983B14A68F1B691FB1,SHA256=1A789D87F4E904335C390A22A0282C6FDA42E0DC5002156A962D321B0A735528,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101515Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.877{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-841.attackrange.local57480-false10.0.1.14win-dc-841.attackrange.local389ldap 354300x8000000000000000101514Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.877{3A00444C-7715-6086-0F00-00000000BC01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57480-false10.0.1.14win-dc-841.attackrange.local389ldap 23542300x8000000000000000101513Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:10.248{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3B95F2BE49D4C84B46F1F9FFEDB06E,SHA256=C627C8A5C42EFF9ED03CC46AA8CB5B0903FAC9EBAB6E86E03C19702F19538715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090678Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:11.680{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4401106C178387B2432F01FAD475685B,SHA256=C7D23F5180939260AFAD01712E3AA62DF004253C191D81A52BACE1B67615A0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090677Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:11.540{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3613AF34689B7107B4803CF009096DD,SHA256=5402DACF1A79A697703C48356A88F942C6837BB45A4B1C8944978A4E2F8B9031,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101518Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.972{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57481-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 354300x8000000000000000101517Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.972{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57481-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 23542300x8000000000000000101516Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:11.282{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BB81B85EA70C4BBAB256DBE2E5CAC1,SHA256=5C61787A6FC72C5CC9BEF17BAD67A5F1DD596EF3FA0E81F5823807014014975E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090680Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:12.805{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1565AA04D8306EB519E70681F2A8F007,SHA256=F339D533245F43CD8064B86D9DBEA87B9A234D64551FECCF7B6B60A0E4E5AB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090679Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:12.618{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A90E2F1D07367D4413BE807388E655F,SHA256=ECB38715B514C1B819551FB552FD36C93E9638C2C9281C363A6754588E4D6C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101519Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:12.297{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\Spl