23542300x800000000000000055747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.934{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IZ8NR8A1G\System.Windows.Forms.ni.dll.auxMD5=EF3404CCFC20B97E804E0921508A9D33,SHA256=96FC2BED83705325F3FB0EBD088F15F4B90203B3525DA008C76F09F3F931A533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.934{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IZ8NR8A1G\System.Windows.Forms.ni.dllMD5=089EC05F8A337F413F5E95DEB1BCBD99,SHA256=DCA25114BD4BFDC0692778471FA8AF3CEC539D4DD8CE5F0596C5AFCA04A27303,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.681{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A368B347E90315EC5D75E825C1BE9050,SHA256=5A62E2D5D22B2EFDAE98D211077075635DAC039B7C29622D0AA864584993A248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:27.061{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED9AEAA495743A39431896B6354AF31,SHA256=3296B8DC41C8F4CAB645F4EB202B612DAF2A530F87F1BF15F0DAEEA896CC2744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.050{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0544CE2CCCAB0F9AD44A9C6092D618C7,SHA256=DCA10843B2ABACB85D856BCBD421B43789D0B29E74A1469D15C7086F06E04141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.050{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E285B41FBF1967A3EBF9ABDEA75E1F24,SHA256=4B5B62716F057A181251C9B118F16A4BA21C35255749A358CE43C52851E98F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.996{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0VFIRUF5ZE\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.996{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0VFIRUF5ZE\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.980{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QG8HSQLNT\System.ni.dll.auxMD5=84B8ACC5B13C06E48410687ADC7579D0,SHA256=CB2EC2B2788E5069BB12B9308159586E291BDF30E214CEF871EA1E6B2BEBB118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.980{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QG8HSQLNT\System.ni.dllMD5=07887F94F904CF7FC14E9019CA4DA2BD,SHA256=200501E0564697E7A0FC680722FA4FEDADB9D012D65E7B0AA2080EF94FDDED43,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.749{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439A39FA5C965C27731D7D742D21A180,SHA256=E737E6A71AEA3E54905C775D26F2478273A89A98C0649BF5142A4F4A00BD8B4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:27.148{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:28.295{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5BC206CDD5B88CCDFCFFEF86C0F763,SHA256=0214FFF683E6B81799A6EAFA356F607B16026403C747538100C700CBB9FF6F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.365{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0OA7EB1HBU\System.ni.dll.auxMD5=9B60B2BBB90F47837198E6E98D82A4A6,SHA256=CF985A3477DD0F499F52050F169ACD88D7F2A767641C25774428BB2755123181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.365{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0OA7EB1HBU\System.ni.dllMD5=81C5B20AF92CE8DA61786746DFBBDA67,SHA256=0EC73A4C7D61C98547AAB5B48244022F241D02B1EA7030163D13F9E038D6F96D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.963{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0X54ME6ANH\System.Windows.Forms.ni.dll.auxMD5=4617D052309AFAEF26D5F4D8D4E23AE7,SHA256=0540CD44C52538002758AB0338A2DCFF1C1A02C362FE580545905B1106C75FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.947{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0X54ME6ANH\System.Windows.Forms.ni.dllMD5=1473B7ACF38D8269436DADE7A3A8C5A1,SHA256=9424F4B954C713E8D9562D1809B029DA51618BF6436C9D8B8CF704E354D034CC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.779{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657F5DD71FA1CA31ED1155BD83BCB6DF,SHA256=02A86DCD031373DAEBA867BF04394444C0C6F91F6D93C020DF2015CDE40DF3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:29.326{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2BA28B0FE6579835C65B84063F014B,SHA256=723C33B3AC4DB54E3890F11147EFDF0FEC235AC0F6D9CA2BB1451943762752B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.895{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\14J7AS46N3\System.Core.ni.dll.auxMD5=0D59346ED726744FEA0E19160BD691D5,SHA256=77169350D0B655C78CE5B6ACE4BA8B2542B952D2566D0EB2BFE7CA3AA919E965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.895{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\14J7AS46N3\System.Core.ni.dllMD5=FC3DE6187226828D53AF86A55AEFE990,SHA256=41B7A76F0DD86CFFE6D0CA3DC832FC4BC49BBF1B91AD8522A80A686C78FA8CB0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.830{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBA6ED1175884A59C58043188BA328F,SHA256=60D693EBB907C475A4B23433BE6F0A0DA25DB896118ADB41046FD3DAA0EE65D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:30.545{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5002F5AD156BB86F6BA5C025F1A0EC49,SHA256=286722C12C5F607A2E0D517F6B6CF0EAE776E0E0F910550261E0A7E0F62CAFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\13TOZAELWQ\System.Numerics.ni.dll.auxMD5=F3C267CE9D1C3FB6394036F4E7D8E785,SHA256=A32A8CDFBDC610D9D6F3973CBF9D2DD972EDA72B86EF870D3A235737A6429578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\13TOZAELWQ\System.Numerics.ni.dllMD5=91E874513E4D5B367AB69CA603378A7C,SHA256=704C43518065008070ADC26CDA82847024C7C543FA22971D67EEBDEB9528C966,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.347{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0YWQ59HI7D\System.Xml.ni.dll.auxMD5=369EFABDD4D345DD17D7F6E96CCD5E41,SHA256=793116A843DC9D67DE87EC0A2ABF11E47A922664B267410098AD7B65AD4430D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.347{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0YWQ59HI7D\System.Xml.ni.dllMD5=B08D3457D316715E513E092A4E1F1B22,SHA256=A679587BF2CAC9D31CDDB246811E683C3F8C5237A7E497EC44ACEEBECE5BB901,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:31.686{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59590A619D71D3374B5D7B023084170E,SHA256=8FFB049D3C96C09822263C20D42712CF323C7960A0ED7285B03518B4FC241164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.862{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A31A0C1AB4694DC58919196F7E2A003,SHA256=B02C1FEE58C1DBC6CF92B995551755973579F6547CFE065FDF1BB98A638CCCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.831{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1AMJ6XH9ZS\System.Xml.ni.dll.auxMD5=D29538F54E146DACA6A1D7E68B48829A,SHA256=D472E44502185F6EFA8EF2F24B7D25DF4EF31AA7229841672DD34F78B2A1242B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.831{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1AMJ6XH9ZS\System.Xml.ni.dllMD5=FE982F628A5787029F86C592E37326C3,SHA256=3067EB0023C9EF9AA2101FC0153CF6ADFF4EDD956EEE6028F80673439B5E391A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.510{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\18ATSMREB9\Microsoft.CSharp.ni.dll.auxMD5=BCCA60143E9395CBD98ABC97FAF648D1,SHA256=799DD94DC299F621AF5D70AC9D47731415435028A5A9B625D44C5611C77D14DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.510{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\18ATSMREB9\Microsoft.CSharp.ni.dllMD5=B9E34CEC4D766AFE6195FCDD5C265721,SHA256=E1D7D03019EFE1A8247C17C2575F647A7FF7E0B6C9CB9996BA29EBB8F9A8C303,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\17N3ZVH06M\System.Transactions.ni.dll.auxMD5=999D14BCEA16BC6927359881D4D39D58,SHA256=E951F9BEEAFE791DF0F3CB3AFE9BD07BDE358EE20E01DC5F2018DDDB466EEC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\17N3ZVH06M\System.Transactions.ni.dllMD5=069D6E12D3CAB923FD4E8AC75EE89BA1,SHA256=F4957C4BFCF882B16615546FCA8A910B09508E5520C62914203915BA51DC3DF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.328{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\16LD33LLVQ\System.Core.ni.dll.auxMD5=CCAD9FB37273BAEBE3F5FA188E00C517,SHA256=67F0D2F9036FA94E2C9FA5EFB2D3D041BBFBE59378A4D2A5BFA52E7821ADC2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.327{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\16LD33LLVQ\System.Core.ni.dllMD5=6BE5BA854610D494C606FCE794962FB3,SHA256=95729D65C54D3EC524E4C11C51147EAB34F0F0523983715CD62D741CB94BE626,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000055765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.097{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:32.701{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23D149B627643BD124794881BDC93B9,SHA256=EF8961D0D383203D49B91C0A8D86091EBF1B85295D10E97798FFDD411CFDE2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.878{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3C6871FD6D8AD624C272894E467FE9,SHA256=DE6447C5BF5619ADABF0124A35434C59866F716FBF6B0E4C8A7CBD9AD14D8E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.594{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1GMLPJ6UVG\System.Windows.Forms.ni.dll.auxMD5=EF3404CCFC20B97E804E0921508A9D33,SHA256=96FC2BED83705325F3FB0EBD088F15F4B90203B3525DA008C76F09F3F931A533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.594{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1GMLPJ6UVG\System.Windows.Forms.ni.dllMD5=089EC05F8A337F413F5E95DEB1BCBD99,SHA256=DCA25114BD4BFDC0692778471FA8AF3CEC539D4DD8CE5F0596C5AFCA04A27303,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.393{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15D14C3C79621C9197BE2FFE4D624D1A,SHA256=AFB2FB62D30CBA868D7DC94669F98D2E727D07E3B59E3F7C0ABF865E4C669C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.393{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11CA21835D97144B14A57504545039FE,SHA256=3990613B38955F2EF8820BF88B41701A4B2F179EAFA9D0BBAAC7629EFF2D1E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:33.936{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967B2E257352AB959EA6035346BF613,SHA256=1B22EC4E0E0EE8321E281137661C13C02DA74AD915C4221A4331310B359DD080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:33.878{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AB04FB7AAFB05DCB5AA55643CE7102,SHA256=D40847951815CDE0D1D7C464E5E9DE92B92BC6C69347C726844B7247A3AB1B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:33.547{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1WN61CHW5A\System.Windows.Forms.ni.dll.auxMD5=F6C231606A7F2DD887BFA24437925F26,SHA256=9A5409CD669694C142B59861B4C92B3F90AFBD4046E46888C8EA80D99826B199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:33.547{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1WN61CHW5A\System.Windows.Forms.ni.dllMD5=431FC5E8180083E6FA1E00FF64B88ADE,SHA256=4FB1BA0C6AA024526594B04095FD9179A547D1C44053360A99CD463D11D3916D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.894{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC7BB7E0F826C91F1F0DD0DE528D03C,SHA256=5D15D18A119741FCD96B21987A2E3E6ADF3B031551604A4334E1F17FCE34E1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.309{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2250KRECTB\System.Drawing.ni.dll.auxMD5=DCEFC8B9CB7245B90F2A6AA4084A0F71,SHA256=3760AFB996B9C1860A13167C3DA5FD6B019EE185076145A71387745DC8DA24A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.309{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2250KRECTB\System.Drawing.ni.dllMD5=E8956B039DFD94E1EDBD129DE56F3F2D,SHA256=1DAC647C4642EB0A13A5135BCAF254A30E477CD5DF6BD7DF978F2065CAF5BFE2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.178{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1XUIY9CJL0\System.Core.ni.dll.auxMD5=9D25DB6F29813D2D1FA827D77A12D1BD,SHA256=829105ADBF1A5F782DF9E98B29CD106AE1D27988D05B162A5702069C31282417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.178{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1XUIY9CJL0\System.Core.ni.dllMD5=2FF381DDFCDD26492D228199E5348106,SHA256=381EBF60EC44E82FE34BAC17A1856C95E766E9260604747F71547133C1C550C2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.929{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92519565F436B59FD551D0212A41AC14,SHA256=4E037617542DAE87F0603D047FB1008CB9A83E8CD7CCFA9E4F38BE7D5DFA7D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:33.101{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:35.045{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667FEFECD5932E726C1CDBC715AF7249,SHA256=5C6A2EAFEE934E7D32466DFCA78754FD3FF019CB65719D3A2480F895D43D9AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2HPT45PVI7\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2HPT45PVI7\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2G2Y49NC2J\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2G2Y49NC2J\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\27Y7R3T92H\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\27Y7R3T92H\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.093{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\22WTK6S38H\System.Web.ni.dll.auxMD5=FD01F2FC3BB9C77DE65D7FE41BB7E3FA,SHA256=176DC7D281B5059ACA290E90B90480786F1AC745C1953B30BF63E39B63FCDD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.093{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\22WTK6S38H\System.Web.ni.dllMD5=70FDF94CA68090BFC787A336F54A1F7B,SHA256=5804590DDB304F2DE4AB2E9E48C281FBB1EE09CB9C711DCD5FCE424CBB970636,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.945{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EE6E1E198C740751FEFCACAB98AF31,SHA256=9804C1653C346D3E9192C6DDE8603C4D12110A69F863CCCD99753F52FE3CAD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:36.264{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C8FC7D21CED313B1022421964D1B79,SHA256=CCC13CBC7949912319D70E5A5B8E88562DA274883CE11600470DD3F751A33DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\35M7W2QEE8\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\35M7W2QEE8\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.877{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RU3KCHH6\System.Core.ni.dll.auxMD5=1D9AC23D3A528EC83A241C675B3BD0BA,SHA256=2DB7B57944D8B43359DE41CBDA59DA1228B2D57A86AF3B323F402CA87F457F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.877{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RU3KCHH6\System.Core.ni.dllMD5=E7D8816D0A6FA8D8748E1BAE0B4A6875,SHA256=A0D3EA7A34C4EAEF847DD511D3BFE0E783EEF75A63A6FEFCD03C2F6B9AAE4F68,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.408{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RCXYVBGB\System.Core.ni.dll.auxMD5=5BC3A9D40323A2B04F4E1902734E283C,SHA256=CFF89802D8AC21E1BCDB723259BCB27CC029712A021861269F65FB5551CBF55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.408{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RCXYVBGB\System.Core.ni.dllMD5=849D0AA44BCEBD9D08A5FCD6C4880A59,SHA256=B34E567DCB7A031BD7B4F35B6DB317203674C0CF030AA7492E0937D3A31AE861,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.961{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA5058D51BA2BF19A5687368979B6E9,SHA256=03495E15EF773AC84CC0AE413DCC3F3B7952009A6A2ED28CB2EDF485F7F1A038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:37.389{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632AC0E35D976C267A8370607C91A0FD,SHA256=C9DCE9E255D1FDC10CF4E45A90FD2032207807D76876140157457C46FC3AC8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\45O1CVQW9C\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\45O1CVQW9C\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ZIZF1QT8S\System.Core.ni.dll.auxMD5=857C3C633078A0FF327EC1F905FAE10D,SHA256=31B50CA26261C58BCF0E35A0BFE7B4B13E7FD05F7DA3C20DFCA4E7C85C169ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ZIZF1QT8S\System.Core.ni.dllMD5=45F542E6DDC2861FF2D6E1C16E05A4E1,SHA256=162BC0CC8560FAEC6AF395BE24D66124DF49F6FD8F21FA90A445BE4F34BC931B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.376{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3YC0J5TJBN\System.DirectoryServices.ni.dll.auxMD5=5BE283A9E68591B32773566F147A211F,SHA256=83CFFD1BAEA158353574578F2145C054F207526C8E544F114652C4EF01713BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.361{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3YC0J5TJBN\System.DirectoryServices.ni.dllMD5=8CE05080E8212D45575DB5EC52382363,SHA256=B2960982ADB25974561E8356470B1234CDEC00F5FDBAFDC39F221B37F914433E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.329{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3SN3JHS6KB\System.DirectoryServices.ni.dll.auxMD5=6E2FE7A4355DAE72B2A560B93997D344,SHA256=39C8A0903E4C7697FCA69012253AA0A79981CCC8C8C3C53C097A9C753233643D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.329{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3SN3JHS6KB\System.DirectoryServices.ni.dllMD5=CDCED7F4E698C3DE8142E81A1A46A9AB,SHA256=6DC7DB265A13AA4C6A8DFCA621CD76C374D0269564732D7FE0097A9404A0CDF7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.261{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3M6KGO24OM\System.Web.Extensions.ni.dll.auxMD5=EA373B89C0FD4F1EE90998C42C3A4FD2,SHA256=A88BEF9CF305003D6B1E713629F962CE4B81079FF4F665D6F8A59A5C8C2E565E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.261{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3M6KGO24OM\System.Web.Extensions.ni.dllMD5=08FAFE195EAA21633B7E1910E5E5685D,SHA256=3FA1D9C02A067D54B12F7BDC8333C0173B1BB42919BDFD9A76F189F57855FEBC,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000055811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.962{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.092{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3CINU4ZU93\System.Web.Extensions.ni.dll.auxMD5=964C12F7EDE4473648291D5C6D52CA5B,SHA256=09CD7BFB8C8470190592716E3BF441DAF0C0EC6DF889077E122A1463BFCEDA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.092{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3CINU4ZU93\System.Web.Extensions.ni.dllMD5=5F68656D96F957624F2094DD871627C3,SHA256=263A84209803C9AF4C4317A5C5FB37BE22885FFC93EF4C906AAF0C627D8EC0FD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:38.623{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0FAB1AD30C894BA9EC22D18B5E0B9B,SHA256=448A1F19897630B2DD702FD8D3A71D9506B13B6EE200551A932A109EFD72A1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.991{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAE896F0E7BE0ED13A4F606CE6B534F,SHA256=F359212F5F729FA0576D4A29CA2844AFEE6F9CB35662760FF25C98D28BD9DEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.960{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BD2OLDW4N\System.Data.ni.dll.auxMD5=EDB7CB075A217959013CD75CE405CCD2,SHA256=240A71F1AF20552B564ACE0F494BDFFCA2B3982D62D762D1E71E6E1535797972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.960{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BD2OLDW4N\System.Data.ni.dllMD5=7ABB236413DDD5D4953BB3A2C663E53F,SHA256=D14A3A1F1851D9FD244CBF574F22A3B94B05FBBBC6147381E68F694AD59574E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.461{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4B8HNLQETZ\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.461{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4B8HNLQETZ\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.429{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\46ZWMVXHQK\System.Web.ni.dll.auxMD5=4B4864D2BDD3887862604DE92C828002,SHA256=58CC8C85446792E57BD9A8C69881CD5E66A5EA5624DCB0B9704E7C356BE58950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.429{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\46ZWMVXHQK\System.Web.ni.dllMD5=B38253FDADDC16D1C0B919A2E89DBD1C,SHA256=270074EFA57847FF994319B6D696A0F1D4AD07564FB1A8D2FDC3BBC28C1AFEFD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:39.858{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001199C61AF9B83FAD7DE094E875E34D,SHA256=6293C5337FF5A2F77C6145F1E234C34566B5DBC5C8CB9A93E3ABD1B5E36FC60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:39.644{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4L80Y8S27S\System.Windows.Forms.ni.dll.auxMD5=AB1FCBE377A6A30943BF24192D913F66,SHA256=1E7B1434F1E86E83CBFD081E03FC9AD1452D6EAEF768D18F35F90360F4AC6CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:39.644{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4L80Y8S27S\System.Windows.Forms.ni.dllMD5=DFFF6CA588881F5D87FAE30E754C1D6E,SHA256=B900C0634566D824EB4823FD9AD1CD8C69B65E143978E2F92B6707F9283BBF52,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:40.920{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D72506D47C8E69F530EC91DF476D0A,SHA256=78D9E7893A325E350DF161737ABF38F46DE9AD343AD1F7BB9E91BEF9579C7A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:39.039{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.890{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6POLT6AMCK\System.Xml.ni.dll.auxMD5=C6B8D9FAFDC12F9D667B132D1BD24D04,SHA256=C2FC89CA115F96A788E5EA364A753E2D685A65BFEFE13145B138AE0309D2A99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.874{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6POLT6AMCK\System.Xml.ni.dllMD5=71BC2F8235C4E463DE58A0B06A7CC6E9,SHA256=D311CB68072B7387AF7CBF476708618CFD88A950AA11C17C74D0281AE97DB612,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.475{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6PMTPRCX9S\System.ServiceProcess.ni.dll.auxMD5=3BE355F7C741659AC9143FE240563390,SHA256=53584243F91BEFFE8C60395404133B9E0965D4BAA27412A3CB14C43C99ADE994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.475{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6PMTPRCX9S\System.ServiceProcess.ni.dllMD5=E7DDC2DB27A745FD9B904E90978E7F57,SHA256=A598609D6B4C0BE721FD06140AF13828706CC526845C19CCA7B50B3F7C6F8AB6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.459{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6CGGQDM20N\System.Security.ni.dll.auxMD5=8BA8863BEEC87568AAC3B366897D0D32,SHA256=D0E77250356D5D825C484FEE34BBC25BD06C6D1AECC9292A0E3B3DD14FF4B081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.459{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6CGGQDM20N\System.Security.ni.dllMD5=E050C5A89D23FE6EED7B86C3271787F5,SHA256=1045BCADAF25EAA099C264222B8AB242EC71EF1500EE5C524B2F2D6232D4F3C1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.344{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6C9DNXNCG4\System.Configuration.ni.dll.auxMD5=606A2790C740857716526360BA88602A,SHA256=B15A96066C9F545B826B491504F39A1460EFF5392D80DE4B1F5E75BBC86661D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.344{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6C9DNXNCG4\System.Configuration.ni.dllMD5=934AD64C1561413D426D12F22B82DEF8,SHA256=4446DC25DA1EEA3B37DD99082A3D73CBCD8F334C79A60337C79564416E895C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\634WY9951U\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\634WY9951U\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5VCF4Y9RRU\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5VCF4Y9RRU\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BS1TMOGQB\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BS1TMOGQB\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5AHEMKTSFR\System.Configuration.Install.ni.dll.auxMD5=0CBC2C9737233F80F1C8DD57CE1AE88C,SHA256=6E18B2C2DFA32D6F4925D1BBE903FD9049472C36261FEBA8DD59628E8C6A9F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5AHEMKTSFR\System.Configuration.Install.ni.dllMD5=2582241664CA944A32E31176A66CF0C6,SHA256=B7C2F435943924E46E604D1D35C1835920CC706BF320D85179E53CA0F84354FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.092{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\503UQ183RF\System.Transactions.ni.dll.auxMD5=BABAF56BC4E7ED7F5936B9CDA05FB949,SHA256=472049805F257AF427D88C0CC081CA4CF33192FB0418912FDB75CAE1A5D97EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.075{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\503UQ183RF\System.Transactions.ni.dllMD5=0D4D6EFF8A0B941FA83A237F34282E25,SHA256=0B923E73C01D4448E476244603A9B8AF337DCF9342352A2E215EAA6844AA380B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.044{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4XBM0LREMU\System.Core.ni.dll.auxMD5=1D332A2AB96D39725A924B0F7AC5C9E3,SHA256=F7639920830FE768FDE77D0F7AA837CC6A2A620CC2864ABEF06F2D81AE5FF3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.044{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4XBM0LREMU\System.Core.ni.dllMD5=4F8E92D7B2085AC07167893113B7EE37,SHA256=E5F3FF00F876CB67661B9838A89CBB71C4B5B61AE03D19B6B6020527A58F7691,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.007{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D795B4BC69EB97F1282046C9EE67BE49,SHA256=8153AE4F350A8648A69C6370EF67AAF26E2F634CBE01B034C0639A81D8960705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.959{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7D1S6WJRIJ\System.Web.ni.dll.auxMD5=0F3C7B662FBC079F29C3EF02690771DF,SHA256=FA432BD61A221C689873F7123B62039D1CA3CA2DA09E90F87CA1C939F3FAE4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.959{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7D1S6WJRIJ\System.Web.ni.dllMD5=8E96EC1FB2ED02BAACD1964616C6C37B,SHA256=9EEE12F5A918A691006264A2479B713E832CC7DD8F292F6F65D8BFEC3C6F0130,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6Y3OKT3QPY\System.ni.dll.auxMD5=E5FCD42C7D3662F69C906AEC226AF5B8,SHA256=48129DC1F2155ECD4BAEBCFB148120DA8AADD6520BE1BCE9D3B59DCF651906E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6Y3OKT3QPY\System.ni.dllMD5=F2D17CA8803D8FF69D707964F3EE292F,SHA256=C7D8AFBFB161B83E2211721336DAB1E6C3FD5F5C0E973C8152063FD1AFB89E16,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.106{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C494019A6EF675F9C4AD8B706D1C4AD7,SHA256=83098E334EDE4436BEFF0ADC0420EC95054080D7C6D2A06FCFD9F1EA16E9A824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.106{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15D14C3C79621C9197BE2FFE4D624D1A,SHA256=AFB2FB62D30CBA868D7DC94669F98D2E727D07E3B59E3F7C0ABF865E4C669C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.028{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2657BB1B702C997E6CE65DFE4F6D585E,SHA256=C81BE2E3124BAA1546CD5614434A45C18D68BA5DCD4A3DEA0C912330EA6CABC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:42.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93740D876DA7D5E73B5B5E78DF6C3D6D,SHA256=E7910FB3CADD77E38C5A3114901D3301622D5D34315DEEE14C4C226AB6CCD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:42.932{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GTLY186Q3\PresentationFramework.ni.dll.auxMD5=47D8164F6B5704DE03EE18C8BD6B1507,SHA256=0AA5F90BD35E835B70F375A5E5A4D7BB5E8FCD38BA34BA17F1F4B24598044389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:42.931{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GTLY186Q3\PresentationFramework.ni.dllMD5=6FF3D4E13A7F80E99CF8C87B2E2EA61E,SHA256=4B5DEC8E153D241755C9B804B32DC41D865A93F1D12A59533E07574524A528B6,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000055861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.077{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:42.044{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A848681270CC5F515E57CD955BF8540,SHA256=5AC4795189F99B236000AF48A41DDD294810EABDF0EBAFE9A1A578564AA980CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:43.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9597C113D155F34300D6509817C07A,SHA256=F5EF31DA226976324C72A2852C557BE2C4F8EBF721CA08FF5A03124845662D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.725{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000055868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.725{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.725{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF7a2ae7.TMPMD5=2DE96C38AC19CBB56DF927E82878F75C,SHA256=5CEC70471600143C4863C1E77335843719B091EA0804DF0C6ED4CDA3308966EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.546{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7K6F2KWFLK\System.Core.ni.dll.auxMD5=34557D491F925C33B9579E2AE5BD4017,SHA256=AD30F4DA8CFDDF64D38E65145696AF7233CD5ABA10C244B882ABAFB770D7E608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.546{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7K6F2KWFLK\System.Core.ni.dllMD5=19160F5E64B830DD9B54C49057A68163,SHA256=F18AEDE0C9B8E6ADA6BF9FCBD86239712F1C420E1BAEF0FF02339F2F15F8BB81,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.047{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BF6D0A2541B87E9590C3926588A527,SHA256=E1189AB2662D088B7D4A9DA57B2D9C41EA98E932098DC66930DD3F7E43D5C571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:44.155{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F161A78748F4CBFEAFE1E2B7430991D9,SHA256=008BA1EB3BF74208FC8BFCF2A3A5551BED15FFC6920BA61B4FD8239A92CAB0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:44.246{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CW0TLLI6C\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:44.246{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CW0TLLI6C\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:44.062{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D7698DEB5217B1B96DCA32CEC63880,SHA256=F92EE7E2D5D8249FB64BAD2C3B24F16CAAE46D180641A1DAA3B5C6E404B01AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:45.389{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5070C097D9DF6F74816C7BCC9407B4C,SHA256=246E9CD10305B12522A960AE4F1B55187319930A422D230D92D1E81803EE0C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.753{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\96CHNE9KEV\System.Xml.ni.dll.auxMD5=3A2FF34743BE9234A2C896E3C7A8EA0E,SHA256=1F1647BAB2A25AF7215FCDC9C03F88D0A2CB1EAA1E61CEB6288D28B69E59D546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.738{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\96CHNE9KEV\System.Xml.ni.dllMD5=4BEBFFC9DAFC484D7BDA244385B9518C,SHA256=0B08FD59C9CF52A30AE65B34CD40378B906A1169456709207CA365A5783DBCD7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.454{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8YSMTK89XY\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.438{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8YSMTK89XY\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.391{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8WWG4NYYD0\System.Management.ni.dll.auxMD5=C01ECF7E635ACE095C407D20F703DED5,SHA256=8FAF355B875FE7A537D651283A77C77B5A95982427C0D520A99268846EFDFD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.375{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8WWG4NYYD0\System.Management.ni.dllMD5=F1A2535A0424F3F86C727E007F7A6F03,SHA256=8429E3661DD8E26425E938C735597BB4545AAE73AC1EA8A6490140A4D9CB6AFA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.366{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8U1UQETKXN\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.365{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8U1UQETKXN\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.360{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8JIPYYTGS7\PresentationFramework.ni.dll.auxMD5=5AC47BDFF85309943EFE3B48015AE6CC,SHA256=B954B0424A3B86859EDEB4E1844EAA13FED43EDC3E64022F93D28850E174AF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.358{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8JIPYYTGS7\PresentationFramework.ni.dllMD5=8C13DC1C231C74434BE8B18DD5D86480,SHA256=1E1471068E3390B52D4DEA0BBF6532C3CD4FF8B396835933FBEDC7B9ADBE11B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.077{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAF1853872E75EBAA33D0530821968A,SHA256=393FA9F7F7B42C14248EAF7D50DC9363499520CEEA00C702AC1B579F3FA226B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:44.133{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:46.624{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D078BD791502B524D6330033E03D104B,SHA256=C45B4AAA3EE61C832B96A779C9B2DE5E3D546566865767D8D16ADA025910FFBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:46.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9CX24I1PAE\System.ni.dll.auxMD5=5EDEB7CB71D6AFF9F7615368262F0EDB,SHA256=A2F1D764B84B3222C7E77D8A9BB17EB369BEBA8DC915B549647C7D1331644E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:46.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9CX24I1PAE\System.ni.dllMD5=CE8C60E7028F27055C4A6C327FA97113,SHA256=4A235FCBCAC5F3713DF6A2BC0636A0FE5F12CA49B3CA2DD18034902FD4C129C0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:46.090{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA80FFC0D528200BD610B3632F1BA706,SHA256=6337ED9D9D11F858A5157CB8066C33C6AA071BA6558D97CC25B4412BD7EFD25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:47.639{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B43AD020E06A4779CDC66A48D70C3E,SHA256=2022E9EEB629CC6B8C8BF25736FF8D0491959215058A5C2DE650A1382A3D9DA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.173{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.289{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9Y9I29WN2V\System.DirectoryServices.ni.dll.auxMD5=8451615FB68C5792747E6B9F17CA39FB,SHA256=F36CB4DA58C61B9521D0B82E1AF455BC583B717FA5D13195E5D3E465B4745764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.273{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9Y9I29WN2V\System.DirectoryServices.ni.dllMD5=C2B7030570684F5C7BAF333C9C6DB4B5,SHA256=1C938CA0C98F20F6200B9EEBD2895CE9CA98DD6500A25B734C0D5D7442CDC641,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9IY6J183BS\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9IY6J183BS\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ILKVTSEI7\System.Security.ni.dll.auxMD5=BC3DDDB5F07C162D92B2037E6880680C,SHA256=4B74A1D3FF9277CA53DCF8D3541DADA05ED4A1B570F67D2B7C45957DF366448F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.105{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE8179F4F98ACB1359F92C2CC487C14,SHA256=ABA944F6368A237F82F0559482E065CD2FE7BAA91AC41E33113A66386F86D754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ILKVTSEI7\System.Security.ni.dllMD5=87E23D848DCDA15E4AB088D7471A99D2,SHA256=55FE1EAC63C9A18285EB2C4CF0CCF1FC54C4DDBE4AC3A5E661889E7C22AEF598,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.036{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9E7FE8BE9W\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.036{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9E7FE8BE9W\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:48.874{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61BF22FFA30AC5046D81BE594A41B4E,SHA256=6D205CF4EB34D1D102E992E3E9D86325782509D8369C07710ED0812144173C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.851{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AARSWFE6RE\System.Xml.ni.dll.auxMD5=C6B8D9FAFDC12F9D667B132D1BD24D04,SHA256=C2FC89CA115F96A788E5EA364A753E2D685A65BFEFE13145B138AE0309D2A99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.851{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AARSWFE6RE\System.Xml.ni.dllMD5=71BC2F8235C4E463DE58A0B06A7CC6E9,SHA256=D311CB68072B7387AF7CBF476708618CFD88A950AA11C17C74D0281AE97DB612,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AAJJT00YQC\System.DirectoryServices.ni.dll.auxMD5=C868E3CE49BA0E024BA044791DD8B901,SHA256=019CED5A20050041A0B1C6A7259A71BC867DF0A952D36A451E86472359A39D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AAJJT00YQC\System.DirectoryServices.ni.dllMD5=950230DF069FC31756D6F15EE8C95D84,SHA256=951D336C2A06FAE7FF8B42CE8F293B2A226DD338A2C36A233CFDD55C05FDA763,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.436{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A7YUES1U1S\System.Configuration.ni.dll.auxMD5=0056AAE6263694AECA005FB9F4CFB72D,SHA256=12D06CC2F2616FC7265D9C9E30DCA481DC24D79EA4442FFA9B0DF6BD5BD0086C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.436{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A7YUES1U1S\System.Configuration.ni.dllMD5=25EBFB35A3C0117023CBE947C69E27B5,SHA256=D9139DCB06B272BD35568F6C1496B1323311CF71BED1E7979CEC3D6B63287C73,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.289{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1LJGPPVH3\System.Numerics.ni.dll.auxMD5=5CC4A69861ADC3DC96AB2ACD2D9149CA,SHA256=8841D1CD4ABC260B2B0EE69E209E0F06023FE3C6D9D50A65510BDD29676904F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.289{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1LJGPPVH3\System.Numerics.ni.dllMD5=47D30AB50B1102E8FFEE9922F95C588B,SHA256=1FE316D9EADB703A05165965739493B8826C19A7C084EC53B50502A3231970F1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.273{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1150KSMAP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.273{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1150KSMAP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.205{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ZPZ8SRZBF\System.Numerics.ni.dll.auxMD5=4554DB58691601FBD376774956021AD0,SHA256=C97E662629BE150ADEDC669040A735BF6BE5C8F4DC6B1007F4F041A1E4CC2969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.205{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ZPZ8SRZBF\System.Numerics.ni.dllMD5=277A874D3C7FAF514D476913C562779E,SHA256=B0EBBA50E089358BBE363BB14DE6D80AB1F92F52C30C8FE13BC4358C8BB252B1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9YME0DIJZO\System.ni.dll.auxMD5=9651A4D69D091A91F7509B493895084C,SHA256=7F97FFC6DBCF14DEF386747D99B2204F6C0BE9C123F585888BF0BC23B424155B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9YME0DIJZO\System.ni.dllMD5=0D511A145E1BEFBF8048E4958B18EF8C,SHA256=5B4E622B50F3659A09BC10F7047FB5AECD568565E358232DBD8B85B615F42FB0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.121{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48796ABF915121587F7FAD83B6706C0B,SHA256=430A6EF6EACBD2B96F603F2068930D141D103952B5423E8CE58D394AB255CD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.921{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AJR4CNNP1H\System.Drawing.ni.dll.auxMD5=69DDCED53EB62AD5F23BABFB8BA6D163,SHA256=C5164F9DAFB6224D0280E449DA8D85EE507145BA79652D1C0E5994B86E4903F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.921{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AJR4CNNP1H\System.Drawing.ni.dllMD5=2C489C8D4AF62D27FD4C18640F69CF5A,SHA256=09FDE2E93271A1BAD108E78FF0AD6662086D86D4095ED412E7064C9C50EC0117,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.836{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AIYX3MQ2PH\System.ServiceModel.ni.dll.auxMD5=BC5B8E9098BCB0FBD5B0BB3F67D6FA39,SHA256=EBC59D5A5922EAA498E84B02C3F7179FC2CBABDB24D64995DDC1D46FFB0939A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.836{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AIYX3MQ2PH\System.ServiceModel.ni.dllMD5=17015EDD211E2B3F88EA4398394359C3,SHA256=9DB2318A0C2A57C66DA61C7D698A02480B64D635E332EEBD9CE461F7F65B4476,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.135{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64891AD5D7C2D600C7A284A0C3FBE5F9,SHA256=866804C0045209F97300DAA61C00B872213A989ED72C724CE3C20A970774BBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:50.108{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92CA3ABF6D4AE71619E8987C12674C9,SHA256=8190D2A4B6B1C75AA4B0393DCD423EC70F0314EDC40F12A0B5D9899464C648D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.985{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B3Q0WSI9WO\System.Windows.Forms.ni.dll.auxMD5=D446BDCD7E3BFA151BD38417CA52BBB4,SHA256=DC1794960B5836EC691C2DC58B068E76C8FE07B8A1293373ED30ED08A02887B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B3Q0WSI9WO\System.Windows.Forms.ni.dllMD5=EBA141EB6870A5CE8F381C7423130E8C,SHA256=60BF35B16E89046C8D5D49C3FE8D73AF63226FA1A4C865B96EE067035A3C21A8,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.736{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.136{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322CBFC59E90D98260C1D58BF839B0AA,SHA256=D03588BF3AA1C7AEA82D474D3A303F1A8E3E7950D31FF0A35FEE9A674B6E6C4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:50.149{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:51.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4345294BD12E05F800A3EAF5EDD1D2D,SHA256=4B87AAA2DA72E790CA8405897F0138B1E3F2D5188B3B906CCF37EB6EF350D841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.888{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.740{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A7E56732A1904F4B148FF21F2AC25B5,SHA256=4EB91E9651C7831A730FD29545719E5983C2C605FCE1CF86D918F9927CB6E22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.740{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0544CE2CCCAB0F9AD44A9C6092D618C7,SHA256=DCA10843B2ABACB85D856BCBD421B43789D0B29E74A1469D15C7086F06E04141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.625{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B5ZN0CRY12\System.Xml.ni.dll.auxMD5=3EC54DEE44368C49379AC078874C7D69,SHA256=57BB02ECC01EC1AA52BCC116D735901E137A77E9943552D01B2E6493AF320307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.625{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B5ZN0CRY12\System.Xml.ni.dllMD5=D0E98E24CEAD9C2E25CFA692EC9250E5,SHA256=8A4926A4947088F44C02986196531D0D409F46A3D45974B17CA0A33EB0857457,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.556{43EB4363-56EF-60F5-FA08-00000000E501}80848080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.304{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.140{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA427ECB0EEAAA7E999C7BF7C0629FF,SHA256=D168B07C4ED993E1F3E3CF3EB3C2C3B3D33E2852ED9384FB432E394E3D3BE5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:52.311{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C05273469F7288EAC6805D859F807BC,SHA256=085A23BC4F6C7835062B0F5C035930845B9027D39A8F67A94E34BF35157792B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.902{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A7E56732A1904F4B148FF21F2AC25B5,SHA256=4EB91E9651C7831A730FD29545719E5983C2C605FCE1CF86D918F9927CB6E22C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.802{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE7ZHF1NHM\System.ServiceModel.ni.dll.auxMD5=E3B93DB9969E47579EF3CD308AD6F525,SHA256=57D5CB25CAA75CD1DE2F24CF07C558C8EAC60FBA70B71B5ADDA6CF3EBFF051F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.802{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE7ZHF1NHM\System.ServiceModel.ni.dllMD5=FE7C04F63CBEA73272C0FF5DE1E67B31,SHA256=16280704304C7361CCDB7C088C00D94F72CF2B83E18186D96029EF12C8CBE1A1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.155{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E040CF0DB0C07BC96BAA408926051C,SHA256=992CB45FF278FAD198F7B88E635D1B53AB5C47B5748D8B6605C8D714BB439A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:53.546{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8865308F370E63F679559646E397E9,SHA256=9E71729499491E25D266B891627CBB55B7A51A381061241B361E7F8C9B307CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.926{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=648B95E67D96FEAEB3503C406EC2554A,SHA256=65683C42B3A63420220DA505BA94F2EE4EB63D7B5CE07245801B78C0839F0811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.925{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C494019A6EF675F9C4AD8B706D1C4AD7,SHA256=83098E334EDE4436BEFF0ADC0420EC95054080D7C6D2A06FCFD9F1EA16E9A824,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.074{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.508{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BG859LY4JA\System.ni.dll.auxMD5=C4730B6A55D190A4DBF04E66F071626C,SHA256=6CC8AF52FD8F807A5DB3DEA7FE2FDE042772BB6BF401E70438FDC785170742FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.507{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BG859LY4JA\System.ni.dllMD5=00248C9DAA0CD4F85D375CDF673D8581,SHA256=67D7D7935E525B620FB235CAB6565AC7A0C42D0013C03BAE6FB7301B7B5DE71C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.435{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.433{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.403{43EB4363-37A7-60F5-1600-00000000E501}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\TMP50A9.tmpMD5=062256C5466024FDB2539E33454451BD,SHA256=FE80A2AC0793D186C8C8CC213131C2751493F6C3EDE18D5DAE70F03460ED7D01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.372{43EB4363-37A7-60F5-1400-00000000E501}11004336C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.240{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.225{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.225{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.225{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-37A2-60F5-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000055972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.171{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961731E131B2085B294E457D72D4716D,SHA256=8E2449252C70C8EDDEF4C12C0AA7444FFBB3DBF045D7C9E9BFF885C5D8F07663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.024{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.023{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.019{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.019{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.011{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{43EB4363-37A6-60F5-0C00-00000000E501}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:54.780{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F14ECBEFF7D0BD6521FB6F459EAF4E,SHA256=A4724E708F0BA6F27BF6BA7C1FE6CC901D6EBA02CD97F27B9BB9C9FD0734945B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.942{43EB4363-56F2-60F5-FF08-00000000E501}73567352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.889{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVEF6A5NPX\System.Configuration.ni.dll.auxMD5=3748821F7E7DB1DD92C4C5575D6B6964,SHA256=9B707027DB2E45E9A550952164290F845AABB230B7E79A8231FA735944A87FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.889{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVEF6A5NPX\System.Configuration.ni.dllMD5=AAE590481F01707BA3682F70184D1048,SHA256=B012C15153EB2B47FE2EFD7D13B689E342ED5DDD9D9EE55E59FC68D927193736,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.874{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVCGLHZC07\System.Xml.ni.dll.auxMD5=9E8273197F9A02B9A721032C9C46FE6C,SHA256=AC968645F5D30BF892E8CD366F36A8DF8B40B65FD7940D3F24C1EEDCE414AEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.874{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVCGLHZC07\System.Xml.ni.dllMD5=5323B8A12366F102A9AFAFEE81B107AB,SHA256=5EACFEB8E0B0C4F166DBFF9B5116A4A371C6652F451A310F30133D1D8680CEE0,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000056013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.706{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.191{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local50104- 23542300x800000000000000056004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.622{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BUKVN9YJPN\PresentationFramework.ni.dll.auxMD5=6B885B68C6B0ECCBB2E89A4D73DF63C3,SHA256=D6BB1EE81B79CB0C8DD4C8B39704859B055B9C056478043C924D695876543007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.606{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BUKVN9YJPN\PresentationFramework.ni.dllMD5=E5E779E851434195EAF586B414E1AB14,SHA256=453BD0B221BFBE7C7C19FD48797DC174A231A8489E5E2A60C82D72F6637CB1BC,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000056002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.474{43EB4363-56F2-60F5-FE08-00000000E501}26527348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.426{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C423BBC9FFFBA6888CAB5FE0D03669,SHA256=A588E93660DE6D168124CC34032593D83F49C797DFD04C78531CDF7923536D05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.165{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65056-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000055999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.165{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65056-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 10341000x800000000000000055998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.207{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.064{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65055-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000055989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.064{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65055-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000055988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.046{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65054-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000055987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.046{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65054-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 23542300x800000000000000055986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.059{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCF7FEAC633C09271BBB44B11955377C,SHA256=7A0A9D2E20B7A487107CD437978F99704D1DBAE2EAD3127FAAF323FFFAED2D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.857{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0TCGUWA79\System.DirectoryServices.ni.dll.auxMD5=2BEEB7989E153026455A91546700FDA5,SHA256=63A95441B52371EEE7EAE9605B312F82B498BC927E85C516C19984D5B629AE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.857{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0TCGUWA79\System.DirectoryServices.ni.dllMD5=04A28498B7718E00A2FAA9797FCE2F17,SHA256=47C6A18965FDCE1FA4609406A47B48F689D0B3828CCBF3A73A70B55A3AEB04D1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXY70745SW\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXY70745SW\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.757{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWHTE99QJC\System.Windows.Forms.ni.dll.auxMD5=0057D8C02F52278E2D88E0C434C9FB67,SHA256=C3E4ED40898F69A430845210C1C1F6F46FB3382B871EC2264963243B4CEA8BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.757{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWHTE99QJC\System.Windows.Forms.ni.dllMD5=309216E457DECA1FDDFB036BF6ABA05F,SHA256=59A0802383424FB2D07728867DA0A79D6657E2380406D998BCF2630A7966AE38,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.576{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.576{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.217{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65057-false20.54.89.106-443https 23542300x800000000000000056020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.557{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5FD571F80F045557E264D98256F184A,SHA256=4D99F0D2DAD2856E1321DF470A586D5D5155C6D0CF82F77A0279611AFCFA2BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.226{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB4BEE1DCFD4BC4AC860039A4D2AAEE4,SHA256=407396649F3F8D561C1847426BD75AFBA2AFDE713F6C89FD21D15CBB0F15A6E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.811{53AF6CEB-56F3-60F5-ED05-00000000E601}33722468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.825{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.824{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.824{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.822{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.520{43EB4363-56F4-60F5-0009-00000000E501}74247460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.288{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C7PHD2QTO0\System.Web.Extensions.ni.dll.auxMD5=3387DD5DFBE5A69E658A1287F3C08628,SHA256=EB1B324EF21E4D9A1DADA4D9A4F519C76D1C862CA16E11725BA97420CFDF6D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.288{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C7PHD2QTO0\System.Web.Extensions.ni.dllMD5=C11869C1D2B9720BECE21325C4F88BED,SHA256=01E2262DC5D082948478B80C22833216555622B5D23040996F3A9A5AE4E956BC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.241{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA278E34D5845F7D0E74BD12162FBD0,SHA256=4D4769CC2ACDC870E8CBCDFD0DBBD795E7293F133556D3B616D7461422C21305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.905{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87FAE14FC118013FE7F6B8A4CBBD7E52,SHA256=C7D38016F396BA6715E2237DCFA6167F3CE8D3D3795B2EB7C343F3430506563D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.905{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032DB3A84DBC189BDFBD9392159C6ACD,SHA256=D06D34AC9575BAAE1D71130C95CBB8C0BD0C05AB9FB4AB27F5ABC1BE721E7527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.343{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.999{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4E9B7E509371816E0059B31E7E5FEE,SHA256=EB386FD1F57800575789EAA4F9CFD0B73E7FBFA5AAF92D79B1EE2902221162FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C76HWU6JFT\System.Configuration.ni.dll.auxMD5=0726536434B1F4CFF6E32E5A04A405E4,SHA256=CA81014EA85BB7A87C6D421D4492658D1ED3693C5E81E194FC9A55A56916500D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C76HWU6JFT\System.Configuration.ni.dllMD5=7847E113AF6ED71691FA241B2F092C61,SHA256=B54E3F593F0379C5B679C200EA5BEF842BD6B69EC88E49F89297CAA66E04E7A6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C4N70GKTFI\System.Configuration.Install.ni.dll.auxMD5=20FF2F0A0D70F5CFEFDC3CAE5854BFC7,SHA256=03A72C9FDF9596376C7B0E4584A822D01BC8F7EF5AE4C8E5748E79665383DB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C4N70GKTFI\System.Configuration.Install.ni.dllMD5=BA7270337571525AA0F643C2A10B5BF6,SHA256=E8419C27066C1F18E6B97F3E082D170E3F05683D625CD191F4CF3AEF691D5852,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C2HK51K4M7\System.Management.ni.dll.auxMD5=616FFBD02D10F157448EFABE441FF022,SHA256=4BE5225D3C62FBF39F40FCB7DD918B1385D4F9F241EDE312FA7ED87385911F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C2HK51K4M7\System.Management.ni.dllMD5=2EE900B41105DC12B81C9BB8227A3F93,SHA256=95D205DF219148F9871702FCA45AF8400CD3C370ECF4834726698B58938E8187,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.937{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.086{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.015{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.999{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F840B057EE2D523DAD3716D8B3A054B4,SHA256=CAAEE0DE10B131AA524179904636925F83B5AEBF086229C38D5E3093B44AECCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.553{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local52199- 23542300x800000000000000056075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.602{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D8R9OZT8IA\System.Xml.ni.dll.auxMD5=D139F7C46452B340FA1AAB6824F0ADAA,SHA256=D890E796CBA8EDC709F63D916746F2F00C90562CDCC1E36D8310CC15CF0C63B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.602{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D8R9OZT8IA\System.Xml.ni.dllMD5=1D4B0B23D6D67D7249959F4C1C9BE816,SHA256=5FE8862C6007516E2BD43E2801E1BDB58B91ED8E29D744F6B37363C313FA747F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=BDC5400462053540C03593328D39BDB6,SHA256=F7A3AC38BC48533AEFBE8EECD33D7C2FD99DBA0F3B0D826BDFC1635DEB39E852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=0D836C2B351708826587F17283E32830,SHA256=641E3D33D5196CAC0B66C541C284424B7AC5C08D21D07A88D3F79B8AEEC7E645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=122707CB53DF323470FC9B73872A3A47,SHA256=66C1B244CCAF928F1467DAEC880295D877C549B800A570574C4AF6AD1D73E99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=035D181B20FCDA027C57E12C8084185D,SHA256=3642E2C6D54E3EBAD6048E3E9D21A4161EF134B220D68972E8C8EE62D4470572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=60B4B0A5016002759D6A7063D7845435,SHA256=43DAA5BB0E237480BEF2D7F8388EC4C901B90C58911817D8727E0269FE62D124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=597FEBC87D25053BC2C292CB724E2978,SHA256=7583CD679D342E46D3326D435CE36C51127728D02A78212B628AF7A2130FAE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AA747CC7F01E7E9AF158D4401B0DE0,SHA256=3A4CFC36ABDD7F61B869CE0409FB9D314F454D702B1617E8796CEFE2DD4246CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F11893631EA5DD2560B15C29D83A9057,SHA256=83B760D4C1409386344C41E660B055B6BD4010A47196411E13943F9E9BC15560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.255{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2S9RPSSNJ\Microsoft.CSharp.ni.dll.auxMD5=F6FB7708778B24569079915A980A250B,SHA256=BB455BE0C6696DEAC54DFBFD3F9A2EB92EC6BB926F83B3BF861306D6CF64F6B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.255{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2S9RPSSNJ\Microsoft.CSharp.ni.dllMD5=48AA9752C04C314A19620753925A436D,SHA256=F212554A016D8C679B6A819D79BE0D9292A6A8A63141E4C84F69F50CEBA6174B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COJRNMA6KY\System.ServiceProcess.ni.dll.auxMD5=3BE355F7C741659AC9143FE240563390,SHA256=53584243F91BEFFE8C60395404133B9E0965D4BAA27412A3CB14C43C99ADE994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COJRNMA6KY\System.ServiceProcess.ni.dllMD5=E7DDC2DB27A745FD9B904E90978E7F57,SHA256=A598609D6B4C0BE721FD06140AF13828706CC526845C19CCA7B50B3F7C6F8AB6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CENXN2KILP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CENXN2KILP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.087{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CB35XAA0GR\System.Configuration.ni.dll.auxMD5=CDBF47C48FE3C43FA6FDFFC27E7BF502,SHA256=97E156C1F3781604ACACB6E3BCEE094F94B0322FAE5CBE336C46763CCCAB3459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.087{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CB35XAA0GR\System.Configuration.ni.dllMD5=D3E5AF2CE2FD8C43D74F414B7A63E66F,SHA256=5A239C00CEE27D28EB600819739E67F051F8D96AA44094DB453034062461A935,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.019{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C9VNGI8112\PresentationFramework.ni.dll.auxMD5=E52B8B92200A182613A6D465C8002B70,SHA256=F474210BE1FEE708AE79D9263C73FF92C511B644F04430988D9A0E430AE6491B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.003{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C9VNGI8112\PresentationFramework.ni.dllMD5=9C68AC0EBB9EBD1A36DDB3459C2AEF6A,SHA256=E3858BC89A5E129F3661AE6CCEF8F10A4BBD6A83A2AD2E623AEBA49413795171,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.968{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.436{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87FAE14FC118013FE7F6B8A4CBBD7E52,SHA256=C7D38016F396BA6715E2237DCFA6167F3CE8D3D3795B2EB7C343F3430506563D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.436{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C5C59C16F170214D76748A50FB9C5D,SHA256=3F95CE6485613001B374F2FF1837CAD7F71794AC1BBE4DC8B875C101B539B798,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.171{53AF6CEB-56F5-60F5-F005-00000000E601}2628584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.855{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EAYU1JY9XH\System.Data.ni.dll.auxMD5=5CC55A1FB0ED0B2E4990B312C4B725FE,SHA256=E4F07260DA1EDD653B5722AD4A712DB0C80D31B1FF8D5BFA1E84C9C9EBD19604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.855{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EAYU1JY9XH\System.Data.ni.dllMD5=917B1F2CBE25C534CE4664A904F7190E,SHA256=6380182C7F6247A0367F455C729212CEF38C5889E7D510AD2DBB52AF8A4C4621,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.175{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.371{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EABENLFM6M\System.DirectoryServices.ni.dll.auxMD5=3F78814829D895D032A8BD034ACE4450,SHA256=A2410DA4E27BDAB67B07FAA49D57B73FAFD6C9DABBEBB8331FF6EE5CA5FFFA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.371{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EABENLFM6M\System.DirectoryServices.ni.dllMD5=1F105E423E686DDFAD34327F2AF3859B,SHA256=0874D66BCBCEAD079A9FCFCAFEE49B361520D911054D0AB30933CE1E42178235,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.324{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D025BFAEA81082EE1BCCE4D672FAECDC,SHA256=28EE3C21A48BB94F9F02BF94436F751E1E3E7A80F1BB22BCD62D516C3172FBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.324{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=633B29D5E21B55501039CEE9177A81ED,SHA256=8961F335E7C2FCBAD047FF22E5F51ACDFAC6E49B3C6F67EA8BEE707928A9E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.320{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DQ0CTC4XJA\System.Management.ni.dll.auxMD5=254EF8FA44D2C6C2AD30F0C72E5FEA4A,SHA256=2091BB513D8D335CDA0E9879BDCE2623ADB6DFA2EB4DA62A22A611D750AE0289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.302{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DQ0CTC4XJA\System.Management.ni.dllMD5=1D3FD15AB1501C7E7C5C71E84216E0FB,SHA256=CA07A2DF2BC440D714F53F4F9DA622C0797587E77677C1A9C4B6B01BE01E07ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.302{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5D9D723E836343DDFDEC2F50D6568D,SHA256=BDA2E619838ADDFBE3FC68BC135F9276601D853D548FFBB86BCD586F2485791A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.224{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DKA1IUKHFB\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.224{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DKA1IUKHFB\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.171{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DFL33BDURP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.171{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DFL33BDURP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.040{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DF4KZD5CX5\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.040{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DF4KZD5CX5\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCA6J3LQZZ\System.Configuration.Install.ni.dll.auxMD5=22196DA6CAA793E0616864B9E8E06643,SHA256=86EFE97B8AA4DF629552A36B9B701A6CD96D95EE747F1BA761E6A5A0843BF33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCA6J3LQZZ\System.Configuration.Install.ni.dllMD5=01A04115F66EDC890D89E9961D365FE4,SHA256=FA2900C83867BCB722E6481BB9070C704EF1D68ED20252F7D1EB3B6DAA320439,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D98CT5T0HL\System.ni.dll.auxMD5=D1633EB12C3BA6976EC07A4F63B7C5D2,SHA256=FA5EA8271FEEF900EBBA55412AEC8CFE63AB04812C2277AB6C43A89807631658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D98CT5T0HL\System.ni.dllMD5=E6629F608804427DCE9CA7252AA92C23,SHA256=B6699D00ACE64600A90372DFA28089254BE1430D11AA8906B8E7B8C7884E0CBA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.764{53AF6CEB-56F7-60F5-F205-00000000E601}25441048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.579{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.358{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764512460DFB4A1E0265E3FF5CEC178F,SHA256=B365503A1C43245685C07FDFE0BE6DCEF038B0F3D8297BCDFB8103296DBA29E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.954{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EHOK4E7N9M\System.ni.dll.auxMD5=3DF95B0C71238F8146AA10A2DAD2FF34,SHA256=37835EDC93EF2E6E5A3DCCEB99509FE5DBFB049D835C64B2D74B792024156EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.938{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EHOK4E7N9M\System.ni.dllMD5=88C9F3A6A000DB567901CC188925D7C0,SHA256=5E1C43C87ACA9EEB778AC9BF91CBB976049A472F3AE41BAA6F82E498803796B8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EBF8CB91434800D2CFC5DB71EA0E2B2,SHA256=32CB84FEEACE38D9FE2DE8CE2081A150F5F3129453C16A803B729EFD4DDB209F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=648B95E67D96FEAEB3503C406EC2554A,SHA256=65683C42B3A63420220DA505BA94F2EE4EB63D7B5CE07245801B78C0839F0811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.323{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBC7AB94FCAA9F18234164C54399A2F,SHA256=E2DC1F2FFF720803F6884D35A8596B73F80388CE149C203D7BEAE22B1E618380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.139{53AF6CEB-56F6-60F5-F105-00000000E601}20401624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.270{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EEXH79HD8Y\System.Core.ni.dll.auxMD5=9D25DB6F29813D2D1FA827D77A12D1BD,SHA256=829105ADBF1A5F782DF9E98B29CD106AE1D27988D05B162A5702069C31282417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.270{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EEXH79HD8Y\System.Core.ni.dllMD5=2FF381DDFCDD26492D228199E5348106,SHA256=381EBF60EC44E82FE34BAC17A1856C95E766E9260604747F71547133C1C550C2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:00.592{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B9956D67477F25228ED9EACEB5C090,SHA256=3C2F63C740D9CB2D7F90C39FE8E092CD46C94693E5DE62C2E726665561C33FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ETLOCP7CIU\System.Management.ni.dll.auxMD5=A1123A272EA45D0BE152C0EEBD6784E2,SHA256=5B0E627B5F7CFC5A685543302698C7882E396403C78E13DE7A7443221A86F536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ETLOCP7CIU\System.Management.ni.dllMD5=1EE419429DFC6FD092EA7828ED535BFB,SHA256=66C905BB59A36F4F0D862B6C9C7125C212BCD31DC12821EEB4B7B72994CAA787,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESD5USV53U\System.IO.Compression.FileSystem.ni.dll.auxMD5=F4A1A9F448D8081CE864ACA2BE6078F0,SHA256=AA8B0EB7C8260304C5F8FEEEFD3711382ABEB7B49BDC2A7836E30B95601C7130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESD5USV53U\System.IO.Compression.FileSystem.ni.dllMD5=4D09B7B8869461AE2CE6EF317D352683,SHA256=979C8FB3B516F86588AF859C6985EE6EBF9A829F1E7CCB723908FECD08B6C98D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EMT96RIEL3\System.Numerics.ni.dll.auxMD5=8C8F36DCBC0AB4F29DC79D33D9CD7240,SHA256=48D6097F83178C3905EC2BCDA01C80CFFB1A832CB1F0BF5F08E510C86D6F9215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EMT96RIEL3\System.Numerics.ni.dllMD5=845E361BD51C969466956F80361DE179,SHA256=1BFFC23BB5882DA343969E12ABE4FC89BBC0EC41D9C30E7DDBCA7ACF250A2752,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.654{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EIJ3YY2MF2\System.ni.dll.auxMD5=8AA30EF5A6FFA51F166D232C8B76A3CF,SHA256=CF2BEA95501884BCC9E3BE072E7006CE2316CE0C086748105EB2216B8512721C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.654{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EIJ3YY2MF2\System.ni.dllMD5=355F6BCC3F1F0142682CAE2AE9AD5128,SHA256=04A3A69D1F5E94F84A13485DE67472FAE17746F6D655E051C378723343B734FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.353{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70D74BC282D75E68A261E5A09319AEB,SHA256=13E9F48238AACC4921467F5257D9197A15391E1738E258F4429A49D39521B0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:00.014{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFCF4EF1DF7319221FC1031B9A65A06D,SHA256=A6A54D17955B5CAEE43E927330A425BE6CC053E10D893BB479BF90B1B9D1318F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.608{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A124B39AD349A85BCCDB0EAA2B0022F4,SHA256=7D75AD2D24E999AA7282B0B44559F8DF1A5E020067D51325EA90CC79E817795E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.469{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZQS3Z3PKI\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.469{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZQS3Z3PKI\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.400{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZG4G5DGOJ\WindowsBase.ni.dll.auxMD5=CE451180C26759B1028E3A902C17F85E,SHA256=5AC69F8930094C256A2A4CA5A979682EABBA3BC3AB7DD7F8C2844ED726B91AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.400{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZG4G5DGOJ\WindowsBase.ni.dllMD5=BD60B125B9BEF727540A7D61965BAA66,SHA256=A7053DEFC3CF04D3182513BA4E94DA8400513083D146E6FBC67B3E6A213B7137,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.384{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC65DA5610A856EBE75B0F6ED3BDBE9,SHA256=26BFF16E681C4C4DA9133AA89CF0E4126C5313F0B9BD665B0BA8F384275258FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.531{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.137{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EXPS2KV3DT\System.Core.ni.dll.auxMD5=9D050BEFC0EDCA0AC4ABF20376FA0FE5,SHA256=DA8CA881AB535F16D75059E1A0BD90FC8602D4549C17EBBED9870D7CFF6B6CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.137{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EXPS2KV3DT\System.Core.ni.dllMD5=2041735ACCF4A0D44DDE0F13495434C0,SHA256=E12DF0280703B65BC806F70DC05590E33A48732C852ACF4D8A738F9D625218A1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:02.623{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248F850F87B0E532B3D838632C03CD2,SHA256=3A5B8F930B72A52ABE51E111B9E8AA38ED7A3012BD3B8A18FCDAFD1DBA43A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.742{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FHHQ0ESAVS\System.ni.dll.auxMD5=9490A0ABB2089EBF5A6F7BF0A440EEEA,SHA256=4DD6040BEC62D7345DF7DF72F5BC47EA54EFA90A596E821F7782EB013EB8AE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.742{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FHHQ0ESAVS\System.ni.dllMD5=9C448122BC27C4FD17BF7C73FBEEFC60,SHA256=AC872337EE92B3C8190F63286B2F6D4FCF32FDB39BDF99C88816F6439FD2428B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.589{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F9LKXV5EN8\System.ni.dll.auxMD5=5B314DACE0CD48E791031B93EFEBB413,SHA256=5D2290D3508F6D1F4FE644AAC53333AFFB5F08F3EDBECFF6B39B3A4AFAB3B6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.589{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F9LKXV5EN8\System.ni.dllMD5=CFEAD2F9FBBBC856CC066EDF87EACCD6,SHA256=C7594D5B6C3886ABC31EA390BDEAAE0753669682020DCE90F51B0209E9649048,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.390{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3595B315DE595854D7CA63ED0B2EAC,SHA256=0EE38FD30512B7813E8AF48FBD6119D17BAF930137C98B30249CA85E7334845C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:02.608{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B8ED171F8E7A2F9C0685FFD60109622,SHA256=D13AE7FC079BF351E61BAAA08A6C86077B9A7E9FA24B849FA8B18C447443F0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.027{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F1R0DZWR68\System.ni.dll.auxMD5=83A798F75378B58F303737DDEA2A82DA,SHA256=5298F68DF0A59A3273E50A7379FFC8130F7A59630FDB9708C5599AEEED598B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.027{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F1R0DZWR68\System.ni.dllMD5=7BF417CEFA7114803F9790E7F77CFE53,SHA256=BCFAC92FEE902A98C44D030324FC9DC31524AD816184D660C26EA48C910E0783,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:03.639{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A721EFB95DD66B37A4EF0DFAF13D9BB4,SHA256=425BD98490500DE06846F51F42C717E890A551FC2CF465DFB459CA2A2C018AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.641{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FVG9I175L6\System.Xml.ni.dll.auxMD5=8095866932D116E9C54CB06A279A8C87,SHA256=ED3F11FAC5D38FB2CDD797B3031E7D49EFB7BD44DBF9355ABABA43B82CA46466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.641{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FVG9I175L6\System.Xml.ni.dllMD5=016FE7AF94AF0BFB824D63F6B0688E43,SHA256=AE20EA6C343733690F1BB9B5963AEA624FFB3B86FAC697FA4C16A753363B291C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.424{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B563F43ED18276823757A4AA427D33C5,SHA256=9A1A7CA39FA3B0D0B3F817F0BEAE479953C7D71AA7CCA7E6375148F42B2161A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.188{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FOGJRDHHJ8\System.Configuration.Install.ni.dll.auxMD5=DFEE9A07D29D011E5C90B8528DA018EA,SHA256=4D719B04BC17977086E3C97ED6DDE6D64193831715F3671EDBB40F39E3684887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.188{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FOGJRDHHJ8\System.Configuration.Install.ni.dllMD5=FDAA71B0FD121959A938C6CE35450216,SHA256=0D969086369893119F98A8FA80E3A2CF52CE193BBB4C617BC777FDEF295AC069,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKBOD29XUR\System.Security.ni.dll.auxMD5=8BA8863BEEC87568AAC3B366897D0D32,SHA256=D0E77250356D5D825C484FEE34BBC25BD06C6D1AECC9292A0E3B3DD14FF4B081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKBOD29XUR\System.Security.ni.dllMD5=E050C5A89D23FE6EED7B86C3271787F5,SHA256=1045BCADAF25EAA099C264222B8AB242EC71EF1500EE5C524B2F2D6232D4F3C1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.157{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FK8KVELJLD\System.Data.ni.dll.auxMD5=9A6ECBF9E54407755BC7A46CC31C1903,SHA256=AB66C7611BE08DAACE1216C27356E58F5FBA629E0D55564BB48C68566CA7DAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.157{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FK8KVELJLD\System.Data.ni.dllMD5=C803FD0E8E41B8E4D88B5A805756F020,SHA256=6F56D02E25E27523A86510764F1EA2827AECD9BF4B1B7385CCD2F24940FB4718,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.041{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EBF8CB91434800D2CFC5DB71EA0E2B2,SHA256=32CB84FEEACE38D9FE2DE8CE2081A150F5F3129453C16A803B729EFD4DDB209F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:04.873{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871E3AB1CABF243274EEEB6F66C80B9B,SHA256=EEEBB1DCEBBBE29B939C85BBAD1995CC14A0E487A9C406DE095CF60356650266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.987{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G13O28JG3B\System.Transactions.ni.dll.auxMD5=0D6387AC9B68EE76DD1AE4111FEB0842,SHA256=F87542DCD5903BA1C034524739A790E9D3B1B336B227F243592B34110620F13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.987{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G13O28JG3B\System.Transactions.ni.dllMD5=847A385B1E0000FE8E4F31BFD457AEA4,SHA256=70ABFFB679617A8B62208F4BD26F1DAC0C5ADF6FD62EB9C81BE6A249613E340C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.971{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD96376F35C0D47B58E1E92D12678AD1,SHA256=0373584F998CF24BFB40EDCDB74518DF3606A99A01C5FDDB9E9F30DCE8C87D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.971{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CF5708D625F71E6A15D064D114A0188,SHA256=138D3033504FF5BDF44E6726013F92BF604AA5023A65A1B4527CE88805B86A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.940{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FY65QPL515\System.Web.ni.dll.auxMD5=19FB3A849C52671A5AB8AB8EFABC318A,SHA256=799F28D0CC5031F28563E4C53CCF7B1B088589E6908C1961EA9ECB296B368AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.902{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FY65QPL515\System.Web.ni.dllMD5=0EA90B6E8B779F335E221C1AB127E1F7,SHA256=7F19FC08816DA636C530A17A011AEB221A83A8785ECA95E3530458B296F79C66,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.671{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1AB293798880BD11C921040330C36FCD,SHA256=B8643ED675E7777CA9DDD235FB724F2DCE76C2AFCC412D4AD43FB23CCBD92D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.571{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.456{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9EA8D3570BEF3DAD3624DA85A64C5D,SHA256=79E4322BDFB8334C796722BBD0126E5DA5A5437E0A71F85CC846127822885C7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.977{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.256{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FW9MK8UIY5\System.Data.ni.dll.auxMD5=2AB656FB5268C785EF923D3EE5459128,SHA256=C0A8E0011E3037F316B88BED6DF66543AAB3B178F62A39F6070B5670248F67F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.256{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FW9MK8UIY5\System.Data.ni.dllMD5=93CE7584E855F6AFBB0E78492FD58849,SHA256=8091F64043891CCB2D0FDC3FA0B9670D53F3444C7B6250340DE846628448DFA0,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.091{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:05.488{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E398511A7FA480E0CFFBD63C951D90E,SHA256=27B0CAE4CCE9982053C49CE4E14920FC82CF07223094B7B012C3327D50AD4993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.502{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED65C8B3C314062368525563FC221432,SHA256=89B499490397C151A9A5F42B3848C743861C2332A22CEC16A93859B2FAD6C0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:06.092{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AA55020005CD68702C46BE8F15AC4E,SHA256=9C49069EA3195414CF931273E515F345F9AD9DA211C84FCFB9DC952190460E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.455{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H6GX73S4CQ\ReachFramework.ni.dll.auxMD5=8E0B5273E15B0F56E9333938DF76CA3E,SHA256=4F360EF24EA7F0823D897C9611EADD08300C981C161C1B36AD8CEE21CED8EA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.455{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H6GX73S4CQ\ReachFramework.ni.dllMD5=E069FAA5ED61AE659FFF54862D342EAF,SHA256=51516AF2F20913DCE266088B51C10A25A23950B680553277955B6DA6C62D8001,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.340{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GXZFSB4FLE\System.Configuration.ni.dll.auxMD5=EA64890856D84601CF0F15F8F925876E,SHA256=BC3CBF89983AF4F608D30A0FA34FB62C3F716BF7B77DAF65A806DD567D4EEA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.340{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GXZFSB4FLE\System.Configuration.ni.dllMD5=7C4B6B49CBB1C3DBAA853BD4E51B378B,SHA256=91DE196C16599FE3164E02F877E74D5F2526AC8C0B8DFDDD3A07D072654E8E98,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.324{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GW3Z3ACCXR\System.Web.Extensions.ni.dll.auxMD5=47F23732071CE372B9243110B56A1313,SHA256=7F15665D9BB1AE85C095B19115B0C67B3A4EB52758FE0ECBDC13C288723E79ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.324{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GW3Z3ACCXR\System.Web.Extensions.ni.dllMD5=33ABBACBEBD570DF9FC4774D00275EA4,SHA256=378ED5CA79D9890DEFA965E9591B916A35B60E1B8D7EB39CC9D4E88FDB6FD52E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.156{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GGTS06TXPC\System.Management.ni.dll.auxMD5=C1BFBA62286B37FE0040708E215BF84E,SHA256=03F8237BF012F6F2808F96D34F1F239C6853F03E0260BB8CEC7971ECB0B3BC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.156{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GGTS06TXPC\System.Management.ni.dllMD5=3C5C4EC7108C741BC98B0C4DDD57674E,SHA256=9D2273BEADA4D0C7D2CE64B81771586505790835694F2984E7BBE37F0BAAEC05,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G7Z8TQPLC6\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G7Z8TQPLC6\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G1SDECW2WW\System.Web.ni.dll.auxMD5=9A94D56493D66174C9A37E6EF2C17EB5,SHA256=FC910E7B67FB2A4152E62DD5331172171DBF204E9378834C9614E4E30F8511AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G1SDECW2WW\System.Web.ni.dllMD5=58C687EE63E997153029284E45B3E091,SHA256=3A8601672FF13A34D8B297B144322BA802EAECE4DD3146096F9C9BC54F9BCC4C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:07.520{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606C6BD0D07E70EDE380903BC9FC30BE,SHA256=B12ADC880B85C9D79AD7ABE98D5B5BC57DF29CAF9F0612C4DC8A4921577E1B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:07.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B59949AE58D4B5898C8C5F1663BD08,SHA256=A06ED6DBFD95275D7C6401BB4686C0E669EBE6138FC5036DC0765F04D36E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:07.439{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HGDQMPXGQ7\System.Web.ni.dll.auxMD5=F70CFE77E87F55A4FB36DAB40447C16E,SHA256=C4FBD72EABC752EDB93372AADFEF11DAAA4BD9299569721BD28D962590520BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:07.439{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HGDQMPXGQ7\System.Web.ni.dllMD5=F79C500CAC32075017619FD8994AE0F4,SHA256=21CE1E3E0ED6F59044FA08BE14CE93325A1AB45F1E334B7233718A455BFA4637,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.505{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.553{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C06CDA45A056D5D43E9CAD1FF5CE7F4,SHA256=2998BA0D6F366673C7DE32551CDC509989F754E6A3BAE107320317470EC2C42E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:07.008{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:08.155{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBE7A4A282D83B84B1E4626AECEBAFC,SHA256=D740F02F9E22849F590D5E8ADEF5419817995E4C7125368D7B95F44275A7D452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.500{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HYL1KLWVXE\System.ni.dll.auxMD5=FD6DE591D3545BD3186DE631F46BB80B,SHA256=D9B496E22C03C6FE99055B4F3BE41057867B2190F6032B0E7B386988E37046C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.500{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HYL1KLWVXE\System.ni.dllMD5=94AE45817D7A11DB2165BC6DF4997AD3,SHA256=45879B1C723A5AE6F9577A9BC99A145C15487C5CD4FF456EEDBCC87403041C9A,IMPHASH=00000000000000000000000000000000truetrue 13241300x800000000000000056169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:42:08.322{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x800000000000000056168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.085{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HOKOV5H7CS\System.Windows.Forms.ni.dll.auxMD5=52BD50ED4F47D2E2F29961EE0EFE38D1,SHA256=4805A52F8ED7EF89DC686E2DCC6B06E6CE63E763917F8B1AB9012712243523C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.085{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HOKOV5H7CS\System.Windows.Forms.ni.dllMD5=4B85DF10FF589C916B17F5D590D44713,SHA256=696E3043EC7372A00BC16ADBD6A77EC067A177538A498EFE96BE7549B2A264EE,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.034{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.584{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C0577252BD53C584A8C2848F38D839,SHA256=9C3C5ACCA631D61034F9B876161879132D75F57FC51477F8D51275E31BDFFDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:09.170{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB69A1FD06F73DBB19F20282B0B06C1,SHA256=85B59B2386D4293CD3A0FC0816E6177BE972C821C975C4DE23045E6FE57968B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55FD-60F5-AE08-00000000E501}6676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F5-60F5-AC08-00000000E501}1144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AB08-00000000E501}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AA08-00000000E501}5952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.484{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I0ZG5LI9D8\PresentationFramework.ni.dll.auxMD5=5D398136B7EF718AEDDC2B292F49FA7E,SHA256=DA7E0528132F730C1206B617B914AC2DEF37E27A63759CEE6CDF56EC61E54650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.468{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I0ZG5LI9D8\PresentationFramework.ni.dllMD5=78D04F023FC7CE7C0509605E674FB7EA,SHA256=35B483E27DF57BD7F2025E69EFC2C721C552C158D7D1DCB8398CF7DE3ECE8DA7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.820{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4ZC1WO7UV\Microsoft.CSharp.ni.dll.auxMD5=DD0CEB4EA439E19B10174EF6765C98E1,SHA256=75AE3D143A5C54005FD62BDD0961B822893FA6950D9511F46D3F0FBA167B910E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4ZC1WO7UV\Microsoft.CSharp.ni.dllMD5=B532D8EE87DC58C1B47163040764B56F,SHA256=D21ED6A4DE422B51B01FB33ABE0B8A7E05ECB33DE3565C080BC7F36531BA0ED3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.720{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4EZ579ZE9\System.Data.ni.dll.auxMD5=DF0F1C0FA81E796AC70A2D94A073E9CC,SHA256=0845B10F66BEDD2065E719081C9D63342AA232BF92EA04790F2F4B5CAD7C0E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.720{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4EZ579ZE9\System.Data.ni.dllMD5=3EE0E72D8E3B1539DC08D97CEEA7108A,SHA256=255AC27EC0628CD1C208742807B816562D279688C1DA873A889FB54230281B6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.698{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B341434D562C66376375EA6C98CFBE9,SHA256=EC9C64258DF4E12276C71E803568EA2EA893F29EDD44D7C456AC572B503B0E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:10.280{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I36AMTGQTY\System.Core.ni.dll.auxMD5=0FBFE5BF85572E5EAF926378B1D5A6CD,SHA256=365F134ED4CC28065A185B62435A5E607FC545BF4555821AF933C4BF882EEC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I36AMTGQTY\System.Core.ni.dllMD5=B2E70F3704B5B64DC37B04E4C1C9CB25,SHA256=E91FFA95C7EABAFFCA0D419C77925EDD1D4F7901C520B962CAC5FBF4547830C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.999{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.967{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFZ4XBDHAS\System.ni.dll.auxMD5=EDC52D59BDF2DFBB195AE6DD2A938270,SHA256=ED816F3F4B2D458DDAC0306AFA5B9D2C080734BC035126054DF76141F90910C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.967{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFZ4XBDHAS\System.ni.dllMD5=D71B052A790A577400CB572A7D4CB69B,SHA256=DE2BE5C6691862A5223BDFEFEE00F33FB6C7A5B2F6DC68124E44EB42D8D3B709,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.851{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=51200E2EF70A8BF856B7887503C11084,SHA256=5C921D6858A6204FED777175B11D2557F02021C0783AF31794B002536F92EDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.851{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F0F5879455CC1355965C4B1017824873,SHA256=1E6F427E20D1266D130135236543645C6ECEBFB3FE506A6CB71620795EAE580A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.718{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA87885CFF64C4A5CB4964D9BC6B66E,SHA256=A8A2FACD1A39E307744BE02FE1695169DB6DBB63FE65715C77820B6ECEE672C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:11.498{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.367{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFIZWTS6QK\System.ServiceProcess.ni.dll.auxMD5=5F1B10CF85EC7771100106A8D294DE9A,SHA256=C39E9DA9D01E465D0018CD0F38C4679CA99D3D2DE577B40FADE4BBD70AAEB914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.367{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFIZWTS6QK\System.ServiceProcess.ni.dllMD5=B5478080DC0565883D13ED0AEB88AE0D,SHA256=7133B1C2FE4870AB945EFDC8A8846A7C8F3F50F9C86784C3B9E0EF0CCBE62418,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.352{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFE8ASBLJ1\System.Core.ni.dll.auxMD5=870A3297397BA0FE7218B9C05CCD1E5E,SHA256=1EB4BF3E6FB4775A6F7AEE5392F452B0E673B4F5C6E539E2C40414946C7BDEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.352{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFE8ASBLJ1\System.Core.ni.dllMD5=8326A23004BDB577F7A7127273214004,SHA256=F00785989931F0C8E944A6A8DD2D28F4F623EF4B9CDCBFDA3C1ADE17FDF1D9F8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:12.735{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDAAB8F7E5D6B00217E2BE12446AE60,SHA256=12895FE40743BA8BCAE26B13CB9AEB25C1B1AEF6E04AFAD57FD1E584B258A5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:12.733{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:12.336{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGF1HM5791\System.Xml.ni.dll.auxMD5=1D30F3B92D5134B2A30A5F0DE1C91264,SHA256=E0F0F10CD976EFE6069FBD50986EB409295BB110D1848EB1C721DB525CA03F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:12.336{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGF1HM5791\System.Xml.ni.dllMD5=D7943DFED3B022B1D45A86E115CA587A,SHA256=0CC48205999BBF650571D739A7CCD2436528FA0DBE507E46F61D53028F5246CE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:13.967{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8EFD8EA69595DA15E93ACF6695686,SHA256=CCAD43BC8A9A3CB86A216E143EA9C5262E5AE2E3ED2B107E2CD7FCDDE4B43B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.736{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132946CDDF25FA241AA78C676E1D8349,SHA256=7FA2CFD9CCE036D39EAB9BAB8E26FB2584290C561510987EE290FBB6DB74B62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.683{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILWKXVRXJC\Microsoft.CSharp.ni.dll.auxMD5=DD0CEB4EA439E19B10174EF6765C98E1,SHA256=75AE3D143A5C54005FD62BDD0961B822893FA6950D9511F46D3F0FBA167B910E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.683{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILWKXVRXJC\Microsoft.CSharp.ni.dllMD5=B532D8EE87DC58C1B47163040764B56F,SHA256=D21ED6A4DE422B51B01FB33ABE0B8A7E05ECB33DE3565C080BC7F36531BA0ED3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.652{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IKXY32A1W2\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.652{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IKXY32A1W2\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK5PEOTIH1\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK5PEOTIH1\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IHRTXUCXB7\System.Core.ni.dll.auxMD5=34557D491F925C33B9579E2AE5BD4017,SHA256=AD30F4DA8CFDDF64D38E65145696AF7233CD5ABA10C244B882ABAFB770D7E608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IHRTXUCXB7\System.Core.ni.dllMD5=19160F5E64B830DD9B54C49057A68163,SHA256=F18AEDE0C9B8E6ADA6BF9FCBD86239712F1C420E1BAEF0FF02339F2F15F8BB81,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.139{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGNWWS1ZB4\System.Windows.Forms.ni.dll.auxMD5=D446BDCD7E3BFA151BD38417CA52BBB4,SHA256=DC1794960B5836EC691C2DC58B068E76C8FE07B8A1293373ED30ED08A02887B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.139{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGNWWS1ZB4\System.Windows.Forms.ni.dllMD5=EBA141EB6870A5CE8F381C7423130E8C,SHA256=60BF35B16E89046C8D5D49C3FE8D73AF63226FA1A4C865B96EE067035A3C21A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.938{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J36I8I01GY\System.ServiceProcess.ni.dll.auxMD5=7F30D62C40ECEBE959AB7FB13D9CACB6,SHA256=F563890C1B347670F0A4C7D48375B329C4D6D5668656AB34D431CF54BDC84959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.938{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J36I8I01GY\System.ServiceProcess.ni.dllMD5=6DA4DEFCCDD3303D217F37080B3C82F2,SHA256=5848262A5DF18EEDA336B5BCB85B1E4544E04A99B0D79AD3E249CB0F4AF89CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.922{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J28YD181DN\System.Web.Extensions.ni.dll.auxMD5=C347F922A9553D718BBCAEEE3869876C,SHA256=722410E5968780B9E761CF0DD4EB88AE0ECFDFDD4108B53D86E537B6EA9C8737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.922{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J28YD181DN\System.Web.Extensions.ni.dllMD5=77ED9EDEB0747952D3B1A7B6E67D01E3,SHA256=9307F45BFEF69DEF67D5F1B21A7EE2B9DC6B8721A33329220F5038C01A3B0A8C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.738{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0247DD26A61E925460D58A6FE02B0EF4,SHA256=D23F93335D19FA21DBC81C28F64424D67382D655D842C9C2D234A1E50C56EC8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:12.977{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.685{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IWZPZAJL13\System.Management.ni.dll.auxMD5=01E8C031085FF8BBB38DD53F01924384,SHA256=3C5FAA30091A95257E80AC41FD202AFCB16ECDF79580A88B7BFC05ECF44F2FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.685{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IWZPZAJL13\System.Management.ni.dllMD5=5C1FAAE417082B6C49E892CB5E511218,SHA256=68EBA231E243F2FBDE1EC5F1EE17FA7C1D6B49EB116652AAE4E980CCF1878101,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.600{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVTSH2AZKH\System.DirectoryServices.ni.dll.auxMD5=E240420E93103B565F0E202D65BF02CC,SHA256=30A7A2ECEEA4B1E1EDE71D67D6B3E652C6996BD71D330FE6C58618AE230795F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.600{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVTSH2AZKH\System.DirectoryServices.ni.dllMD5=1C9EB8C8F79E7AE6D1837A92AEA937C9,SHA256=3FDBD432E9BD0A40D636E64FED0E27AFA7AFE8EC8DFBAF1CEB0E02CF9D45E191,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.538{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ISOLJHW95H\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.538{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ISOLJHW95H\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.485{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IONPFI7NJD\System.Web.ni.dll.auxMD5=2021AE82CBD2D825BCC5BD389D6B04BC,SHA256=E735BB5F60025D0802BCA188FCC852A0EF05D1F61A823F2B3F1A7F8432BDAFB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.485{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IONPFI7NJD\System.Web.ni.dllMD5=3ADF0B1515BDE1375284BF35B32290C2,SHA256=026A4F05226CFDA96E2C8AEDD27DF895A67061C9D5BA5C4F3E695A5B5828F65C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JHYA271NNM\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JHYA271NNM\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JBBR8BELHO\System.Web.ni.dll.auxMD5=0957F4DA581E02FF9C1610899338F081,SHA256=149C4DEBA1B8BC2221AE4E9375A4D096B7FA043FD251BF9127A286B9B5C870AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JBBR8BELHO\System.Web.ni.dllMD5=518A18816F2AD45C37A53A4D5AB36114,SHA256=3978A170D2047F55D0D22592D4D67EFDBD4AD29E48606367706C9BE4214F84FA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.752{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D83096DE01C4CDC814D2CEF32117BC3,SHA256=691970DB66E3DA55F4DC4FC09CA0D6E9668B232BBBE682D9400050F11E936938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:15.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC3DCC36CD5719BA15912C3CA1ADE1C,SHA256=A599B79C58A2B1044907C6CCAE933D47B9B2EF0EA29CAB0F59B737CB19348F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:16.767{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611818CB1B10CC78C9043A85342EB684,SHA256=5F0655A8C3696F7FCAD035260D5A681682AB1D5275834EE7A21DCCF873694767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:16.217{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B5A4B161F96C329D79F55E34FF2BC4,SHA256=856699CB41CFDEAACB3F569A853AC5988A9A653DC04ADCEE2DEDAFB744090315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:16.616{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JMYST3KO7Z\System.ni.dll.auxMD5=2757D2358B8F06C9205162B01ADD8563,SHA256=7DA6F03A2961DB5296E81D1186309960BE931C942AD7F3BD2FE11BD1F40F0B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:16.615{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JMYST3KO7Z\System.ni.dllMD5=897FC7C6AA44F5EBF88139492F41E46A,SHA256=D365B32B72989F4BAED79A536394AB7D040B9A920F89897DD5BF77264F8A6792,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.150{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JXCZJIJOPH\System.Numerics.ni.dll.auxMD5=8C8F36DCBC0AB4F29DC79D33D9CD7240,SHA256=48D6097F83178C3905EC2BCDA01C80CFFB1A832CB1F0BF5F08E510C86D6F9215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JXCZJIJOPH\System.Numerics.ni.dllMD5=845E361BD51C969466956F80361DE179,SHA256=1BFFC23BB5882DA343969E12ABE4FC89BBC0EC41D9C30E7DDBCA7ACF250A2752,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUQ7610ZGN\System.Windows.Forms.ni.dll.auxMD5=337A44DF08CED104D7814C2A7B3A0898,SHA256=C5E3AE32A409B4FCCE84FA81A83509558C8AC31166CF91760407F9DEEF2EAA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUQ7610ZGN\System.Windows.Forms.ni.dllMD5=AB95BE2F0381664F51CEDC66091D7BE9,SHA256=177E9A8A1D1800F1C28BEC108CD5AD847338548FDDB471FF708CE4FCC6F5C606,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.782{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5881FE64C87017BC6BAC8FEA82D336,SHA256=4FDFCE940BD2B5101E7EAB9FC38908912BFD4ECF055C24E0A60427B938B6AEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:17.452{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36993607D3F713D53B01C9B02AF36C5,SHA256=78876D0C7751AE36D31AE717675246E92F093B20A45E66E012E856E4BACC3C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.666{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A75F24D409F2A99E5C150B38370F97AB,SHA256=C1C3EFFE71C6C2B95E7FE4B8C358D04596A044DAFAEC35CBCD2177E0D70C5986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.666{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=51200E2EF70A8BF856B7887503C11084,SHA256=5C921D6858A6204FED777175B11D2557F02021C0783AF31794B002536F92EDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.881{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A75F24D409F2A99E5C150B38370F97AB,SHA256=C1C3EFFE71C6C2B95E7FE4B8C358D04596A044DAFAEC35CBCD2177E0D70C5986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.797{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4294BFA2C561237F62C15CFE8E5074,SHA256=0B5053F1773B621F45A494C64CFC6E33ED737CEA1E2A9311A91CE19ACEE0FF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:18.592{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFB9D32178C5B8138D17F1B66ED5E44,SHA256=A10B39CD8A2920B2EF2F8B29EF3A0ADFAF73ED8D1D2C05ACEBA968BD1C483FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KIR6X57GGI\System.ServiceProcess.ni.dll.auxMD5=A2054B56E52D30E988FB8E8A16E667BF,SHA256=009ABF98AFF25034C2A60E2E5C2F5687889F13B9435D965E52052A797E830C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KIR6X57GGI\System.ServiceProcess.ni.dllMD5=701013E651E17E9D7EFC716A52EF250D,SHA256=653178D1F2FE4983C9E8FAC3E4BC2F0CE7CAB8F5A44BF1FB710B901082841FEE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KERR5LIL6C\Microsoft.CSharp.ni.dll.auxMD5=74793ED55CA5E05229CDD02BCE056C64,SHA256=109B547081FB3D7DD775E60449A24B88EAF5A35B5EC3B69F4B0987E6EA0D5C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KERR5LIL6C\Microsoft.CSharp.ni.dllMD5=401729E38D7ABECD78EC2E9BCA281C5C,SHA256=BF273BA827A9BADBB785086965D428382DDFDE50B53355D2BCD4AFF70695C0BE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.697{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K2C08Z5VQM\System.ni.dll.auxMD5=938F2463A77401FE0B14F375FA9E1ECC,SHA256=CF737F659C2B4F6A5991AECCCB5A424748075189BDD3853576AC68B316A37A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.697{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K2C08Z5VQM\System.ni.dllMD5=E5B921ECDA5B62F89AD0F30770489EE7,SHA256=94548B6DA782327576F76F826309ACB5CF6A80F9799F6C1D79DF4320DD8A36EB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.818{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD623654D159C2418443CD29273E3A3,SHA256=4ACD3CDE153D80FDFB2A81C2D181AC5220F1A47A2029CAE6B586AD4FBBE0EFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:19.608{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05D311497D11C1F3FFD01AFF624AD2C,SHA256=F21C0B961C6953FD9BE1787DCD8A47EEE8724F1934819557210EFFF3556AE207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.681{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KOLTA8KVP1\System.Transactions.ni.dll.auxMD5=684302FE423D7E41FDC82C1D5856E236,SHA256=F337F5920192EC0AACF5FB4361AC90BC3C648AC0846D5C2CE84645D465DE0ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.681{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KOLTA8KVP1\System.Transactions.ni.dllMD5=ED09B66BD9413256CD1DED2FD1782AD2,SHA256=90BD081F86F3888C1C8F639B10BD88D7F212573EBCC4E7B226103CC1472AD823,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.618{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKNIV7Y3I1\System.ni.dll.auxMD5=4D1A6689DC11F81CF9642E9CA661FBD8,SHA256=184270D73884EA9ADD722EAEC9D3A0806F5CBD2C7CB4D6DC4591869DDB2A4194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.618{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKNIV7Y3I1\System.ni.dllMD5=1D502B42F3922DB469D11EC1DD4A452F,SHA256=3F4717011759940D5F9F588CC8BED4B958CD94C373592206C1AAEBE284DAD7EA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.835{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90C478A94883273DD972B98A179ABBD,SHA256=9CFAD80B8A63579965CB70129BB9C7E3E9DF8AEE044E2DA90E6D57AA7CBE6C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:20.936{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6A2819C5C484909D33D943A2F7FC0DE,SHA256=D677911C8F25560B126BBBED640F87AD7A8512A3F69A5420DDA1097CA22BD7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:20.717{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CC167614EA5DD4FED7BE9DB2346CB7,SHA256=298CFC84DC54F89CC1861031108A723A1DC6DED1D940996DC3ABF3C01A2925FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KXNDZRV6MH\System.DirectoryServices.ni.dll.auxMD5=C2E0864BC116ECCED285DA8D65EBA6C4,SHA256=2BB21F1B779326CC28A17D48D9F22E3D40D2AA67CF35282497E9BB087377688B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KXNDZRV6MH\System.DirectoryServices.ni.dllMD5=D8D409480F7CC454D0719266B2D7D9CC,SHA256=9B5D64CF20C48A42257A1E2E68F810F179E553C3CF743ADCA720BC20682A0849,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KWU26L5G78\System.Numerics.ni.dll.auxMD5=CC8504EB0D831F3A4D7BF486C8BBEA57,SHA256=E9740B680C31812CB7524E87205E12CA8DA04DE69735BD7EAA900EDEA24D8309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KWU26L5G78\System.Numerics.ni.dllMD5=AD4643D2B1E5DF5D5B5986C4870424FB,SHA256=E7518CA9B10991F2C502321C26DD4F3AB778E162B1A3AC90888628FC864C47BB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KU41JGUGM9\System.Xml.ni.dll.auxMD5=63CFFCE43BBED168D0654C5A8A018374,SHA256=3424CFD864C6AE00FFC20B978CC30ABBA607511DCD8E423091E952A7A99B11F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KU41JGUGM9\System.Xml.ni.dllMD5=4BC31F57ACB281F7C863B91725EB6C29,SHA256=459055F2D2B7F600BE627AA49F1681130C1892BC0A0F8DDC76E9BCA32487DE2D,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:18.086{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:21.952{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1443D79DF536FEADFBA538A991C6A97,SHA256=AC76FC7DC7138E713DD3EEBA5D560AB4D8759B31EC61367ADEC4D9DDB672BBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.835{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E134D4B5820F32636BC95DA7F899E7,SHA256=9A7B608D0B1F1862FB04420F5127032DD17A23CD348505C43998F9408BD5109D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.798{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LLC80O1ZV5\System.Security.ni.dll.auxMD5=7BE8E3D8CBA8DE7A117F27F0345AACDB,SHA256=9BEB3A0B9B7CC3C5843693FD59757D3AF78C48A48C7E949A2DCABC3181AB7625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.798{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LLC80O1ZV5\System.Security.ni.dllMD5=54B8805EB3C694F29052E9B1789A07DA,SHA256=4D2E9C421DE3E5FA95A79E6C35CD689B53BBDAA27FD36114ED4710F9CF1F27DC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LKAJNTQ0TG\System.Configuration.Install.ni.dll.auxMD5=1BFDFCF998903EA6AF2C7F1496C9BD50,SHA256=DE281F3E622CCF729BB00B9DDF68643C79FCF455B0EC1FB21DFB5F94AEDD6859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LKAJNTQ0TG\System.Configuration.Install.ni.dllMD5=A8DA77D12ECE05B2F62E9C4953661141,SHA256=FC27E15E339A52EF8C0D829E7E6800365A1755A8F6DD1650018EA73CFC18996F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LK2QT4W2RD\System.Drawing.ni.dll.auxMD5=CCA0985CD95C87162EE8FABD44FAE1F5,SHA256=EE34560D22D7CDEF63F66AE66B409DEB4D75505E1017190BEBE0D4191610E7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LK2QT4W2RD\System.Drawing.ni.dllMD5=13B68E88BC8FE03216C474B8DC5258D1,SHA256=64B7FB05FD5CA1DE5630A096593393F2EBEBE2D43AD94B1D514AACF05702F345,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.698{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LIM5T5XM4L\System.DirectoryServices.ni.dll.auxMD5=8C62FCC7526EA7B45336F62B19961917,SHA256=380C559E81001EB5A7E6E4CB27A7BBC78CAF792DAC2CA81FB5CEEDD346D56718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.698{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LIM5T5XM4L\System.DirectoryServices.ni.dllMD5=1B1CEB2CC83E5F299E616C434A37FC86,SHA256=1AD9A12E233F803A985AFF686A26B3DED3CB16927C25CF4C7BF0D7AA4CED4137,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.567{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L3ERTDNST0\System.Core.ni.dll.auxMD5=7E0C144A9DCAD31A8111B8B42DDCECBA,SHA256=AD9B8AF589F1D2BA5C81427E41087FC704AC82D57DE568EF8085DC9977CF8549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.567{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L3ERTDNST0\System.Core.ni.dllMD5=F1FE6824F513926F23FFFE53348D791F,SHA256=8AB5DF5356D9BC7FF295DA609CE1AD35A98FA8A91B98CE805B6CE72840483BBC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.515{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.014{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.098{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KZYRIY0MEY\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.098{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KZYRIY0MEY\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.036{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KYQGEDG1SD\System.Windows.Forms.ni.dll.auxMD5=AC36643F64BD9537E552F35C0B019EFB,SHA256=4AA66A91B44CCA1403B9F0E71435C3233124EAAC20C434412CCACB77255B5612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.020{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KYQGEDG1SD\System.Windows.Forms.ni.dllMD5=A8D652BBECDD183E51E2E654E8F4770A,SHA256=C1FC8E5327FC8C5492756648C2AEF53E12E5F647D82C4A01DDCF1DEF561E92F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:21.311{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:22.850{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D3AECC65DEA99F19F641E13ECB50AB,SHA256=0FCB66AB2E64AD13156FE05AB9879B7498931B3CCCB5A631FC860F0AFABA3286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.850{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1802CF262301DA4A0C02E9315719920,SHA256=CBE9B0561323581C84BFBA4704EC8AC9FAC692A48D7E72DFA6A5E95C1322BEE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:21.179{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:23.142{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F055BB45A63CCF3183670EBCB9A71F,SHA256=C3CEDF3978511DE07970A02D4FCDC088CC4BFF624DFF1A31B8F94C898282F076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M06ORVAQ4N\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M06ORVAQ4N\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LYGE1N23YW\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LYGE1N23YW\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LUC2W71J27\Microsoft.CSharp.ni.dll.auxMD5=C4E4AFE001B45754A961F829FA2AA4FA,SHA256=AD75AEFF2DD869B6EBA26338422C0DA1577C6D99923183CA8E58F68D71873E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LUC2W71J27\Microsoft.CSharp.ni.dllMD5=3DA8C7A3CE434CDF212B055456B2D5AD,SHA256=800BC5C217E541299A28DCF0F10BCD943B74F33E250FAFCE57D3BCBE02060463,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.097{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LMV1K7MTCD\PresentationFramework.ni.dll.auxMD5=DE88ADE06E3B0B87F9EC542D03B909BD,SHA256=CA646AF9FA56EDA1FF4974D5AF0A9B2B360B84CC30AE311FAB387D747E11DC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.097{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LMV1K7MTCD\PresentationFramework.ni.dllMD5=585F7866FCC0FE6A5D732D961852CC62,SHA256=1DA8CCE6A338D38A2D88A14748AED2156D2B95311FB4EB5CD0A5BE147BCD403F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.865{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23C71F44023818795DF961FEBADCC9B,SHA256=1DB315068465F751A2723E08D468884E7B7AFB08EFDCB53358168B897C1A2E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:24.376{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE1083592918A35EA95BDFFC338428C,SHA256=4FE3E49C9C061F3972EC0151972EA7FFFACDD4249EA041F91BACF011ADFFFAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.718{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIUYZJ4R64\System.Data.ni.dll.auxMD5=4000DCA0209C14C9BCD1DD177196F2B5,SHA256=83875A2E7B0EA34843C1D8EBC0980BEC7A91B6E1FE4B11BCE69E81BBDDFFC942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.718{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIUYZJ4R64\System.Data.ni.dllMD5=E0DF78698CCBBBD22D7DF8B84B214338,SHA256=D5D79E6A941196BDDAA97DD97CE08D88F5D49F6F6BBE4DC1BE1BD3BC2DD611D8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.697{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4C8136662F4EE72A9F39F25EA19089DF,SHA256=BC0A55553612F6FBFB302BCD7C20610B48D3656CE383357430D6A5DD4F3827B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.266{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9TLN9HBIF\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.266{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9TLN9HBIF\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.880{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3B990887696FB72364871294F1293F,SHA256=851F3DA48C45EEB428C08009F39FF19CABD5168FEB8385DA7681321E3392DEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:25.439{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD2302CFDF15C4F20022E32352CABEC,SHA256=2B2E0B5394B180E7B12614B5C985C69D5D5329C33E2E6B0282317A770FB1DDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.480{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N0IVNE6B7B\System.Transactions.ni.dll.auxMD5=6C339FFF8233C29C022D6F64132B3565,SHA256=245A00C8C84BF6FDC07FA7C3AA0F192283A8D1E55AA1FC5212B59BDBE5B0DC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.480{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N0IVNE6B7B\System.Transactions.ni.dllMD5=B419B44AAD97CA3AA622FC69F9F700EF,SHA256=85E6B77303F3C2B52190AD6ECB73FFF9A6EB42C02D61D315128653B8D806ED7F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.465{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MQOCM2A3T9\System.Data.ni.dll.auxMD5=55B9DBFF22E9F9EA9030C8506FBB4BDD,SHA256=21857952A4D88926E936A4E055A5A32BC852B2C854FB5B5D02E2CE26FA11076B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.465{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MQOCM2A3T9\System.Data.ni.dllMD5=5B8A1387F38B3747F281326AE0AE6046,SHA256=72AFDE4C5841503A8DA13C06C8132644F73CE9B49086AF3B3DDBA5F85FA3D3D4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.034{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MMFOGD1HWU\System.Xml.ni.dll.auxMD5=AB37B4D34FC53F43A723D713E12B4003,SHA256=47AFE86256B978AB7CC1A26216ADFCBB2C3B3BE59AA00ED8EF85B73360C40569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.034{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MMFOGD1HWU\System.Xml.ni.dllMD5=6D871CEE5183880F2C6E45D4A633B9BB,SHA256=08C1A990205468C817F6A1084644002912BDD347EC03D4139E99E54424A86960,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.949{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N7F7OPQH0I\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.949{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N7F7OPQH0I\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.949{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N771T2GRDN\PresentationFramework.ni.dll.auxMD5=1CD640D915EAE872FC60479FB1991D49,SHA256=4136E63F0E092B2DB0DB99F29185481D5F9CF9273FB96BB33273FC4B8F077704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.933{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N771T2GRDN\PresentationFramework.ni.dllMD5=F4BE31FD7508880EBE11971999150E20,SHA256=67784892A02B103C517FFBCEB07F743E14E727539AADA82138342FEAECD1C8C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.913{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B484EA4B82C35F4D59EE4A914CEED9C2,SHA256=F2ACBA2C8DA1B1C468A35DEF459C698AA72D38AFA3CF10E3D84A0401F7F9C6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:26.670{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED9CE5AFD7EDDA3A0272A86F8A458DF,SHA256=B6D06534DBB487E23DC645D04FBB29EB0DFD48994F03DDB0D087B36D6B9EB03D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.099{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.064{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N6GEV7NRLJ\System.ni.dll.auxMD5=F974195E5ECE86B40F7C98CEAFF80650,SHA256=6FED5EE609434200BCCA2E954E4FF45678A458F016A429BD3AD7BE480AC33845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.064{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N6GEV7NRLJ\System.ni.dllMD5=13DE7F98F0CB9EB352C90FC60D125E6B,SHA256=895BF50B6C923C70F9F96ED6117D4F5929607376E5F00531F7E0E9209D4A1028,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:24.026{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.933{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4B4BB9B5BADB25007A0D8D9C54F37A,SHA256=6E5E8C73D4EB8E9740653042ABD75475D8A61F56685E5AFB785CD2044494A35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:27.672{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1583E9E2CBEE0ED2DF3C3B2DDE3C2BE,SHA256=005AC31B8A24DAF8E18DC2E09BDDEA7A02EFF7B2B808DB3CDBE498148873B7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NO21KQA2HF\System.Configuration.Install.ni.dll.auxMD5=0CBC2C9737233F80F1C8DD57CE1AE88C,SHA256=6E18B2C2DFA32D6F4925D1BBE903FD9049472C36261FEBA8DD59628E8C6A9F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NO21KQA2HF\System.Configuration.Install.ni.dllMD5=2582241664CA944A32E31176A66CF0C6,SHA256=B7C2F435943924E46E604D1D35C1835920CC706BF320D85179E53CA0F84354FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NL4EC7YXBV\System.Data.ni.dll.auxMD5=EDB7CB075A217959013CD75CE405CCD2,SHA256=240A71F1AF20552B564ACE0F494BDFFCA2B3982D62D762D1E71E6E1535797972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NL4EC7YXBV\System.Data.ni.dllMD5=7ABB236413DDD5D4953BB3A2C663E53F,SHA256=D14A3A1F1851D9FD244CBF574F22A3B94B05FBBBC6147381E68F694AD59574E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:28.906{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD196D1396F77F4799EFFD9B41AA6487,SHA256=FA0F7E40BB1D8883BE2FF5E84BEFBB99F445E2D08EB2C5B5811909100DD9DBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.947{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305CA7D53FFF00863D3D3BC91EBAEAD2,SHA256=D66B5FA1CC67B6F9D5AFE7D02BF67A72B52AFF9D341EA5C656AE23CEF806956F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.595{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O4I2YE29AG\System.ComponentModel.Composition.ni.dll.auxMD5=694406FEC9A4D3335D220AADB0FA8797,SHA256=45E44499273F3E2F07640B16480103FEAE49022794D70F6B761C1B8A7D283CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.595{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O4I2YE29AG\System.ComponentModel.Composition.ni.dllMD5=0632FC2C8FE933134DC4039823BF7DDA,SHA256=65074EB6B679C8BEFA936EC373CCFDB9EAE1A71563936A3F77DDE751164D8143,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.548{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYU4M9NQO7\System.Drawing.ni.dll.auxMD5=AE1806558A5233CA0895E229CA9A5CDD,SHA256=BF8A1C5F9A51673F43C265FD747004440EA4B3BC1CE92378D2A9C6B197995F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.532{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYU4M9NQO7\System.Drawing.ni.dllMD5=FDBA63CB8F1C68D60D66AC4C25A52A2D,SHA256=9DFCA47793FC5BA5B8158ABB6E3487263E7967F0CD4533083D465AB38EA2018C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.479{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NVJRBVWD7A\System.Core.ni.dll.auxMD5=48FFD457B52D2283A43AAA2D8D7B2895,SHA256=529CDC113FC10D5542623FECA65BED08EF6A85D46AD9F372D32D25C91224FB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.463{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NVJRBVWD7A\System.Core.ni.dllMD5=783B07F6DC4FEB9350CE7157E6240EA5,SHA256=A3CDC262830D14397834BF31D00E6F5179BFA6B9E570BD76C623E6033A0FF60D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.095{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NSCDQAJZZE\System.Data.ni.dll.auxMD5=CC9F9CB4F637C42741255EF17203B47C,SHA256=370A27D995B8AC7DEC609867B2B7BBEA89A465AB01320C77D7F8CB57793DC76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.095{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NSCDQAJZZE\System.Data.ni.dllMD5=4CE9DA541633C93EAE8D016C36CA6BF4,SHA256=08E8F1F9463152B6AABF02E6A7CB02A2DA4608AD745320837A9718B87B52AA29,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.962{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C3F362D9008994E54AD4ED99D49CCD,SHA256=5686B7B15B4BAC9FCE168F638BAFEC13EA0759C1B5BE4F8AEB61B92BA401C094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.931{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OHA33DE8FN\System.Management.ni.dll.auxMD5=CCBA581D1AE4127E8E8C1E8326D49761,SHA256=4D8C3BA60FD1E09A0DFF0A00FBC68AF12DC3C85C20BE290319C9DE464F483EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.931{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OHA33DE8FN\System.Management.ni.dllMD5=57063C01F33CD670DFB69D6FCC9A121D,SHA256=911E07923D182AA145FA9818B97EBBC31CF79AF003D918CC09E2D71E63F7FB9D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.914{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OFVXZGR1VK\System.ni.dll.auxMD5=F5E454AFEA99BF074A1D3313654C9C7C,SHA256=15FFAD8EC46C0265F01EE5C5891650A8C1D7D481080057D01EC1F0B597D009F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.913{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OFVXZGR1VK\System.ni.dllMD5=D60796FB70D97A574714D0C77F93D97D,SHA256=A1C4314F753DA4EE230B0AB995A4F9EC872F35780174F6E060A1DF56EBBBD6EF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.094{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OD8WEIQHVA\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.094{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OD8WEIQHVA\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.047{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O8XCWSNQV8\System.Core.ni.dll.auxMD5=EB3705BF415BBFABE3EEF435BB9CAADD,SHA256=19E4BFB51F3918297F82E34403F9F1935B17BBC2A78E6C4247D6089C94C8BF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.047{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O8XCWSNQV8\System.Core.ni.dllMD5=D34A762C6315A7E500BD3DC88FEDD43D,SHA256=80E62A15C9EB0FAB896B1D0A216D1C3AB4C103B8F957DB46C14E6DD9614D43FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.977{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59E9E87E0033C94A8D02955EF7CED31,SHA256=A527BAF737F32F8A6EACB4D853DB0FFEF14F05B05A9290EF2C6E88D96071F62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:30.062{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68142893E5D3DC5C08EA8A22A851D014,SHA256=E5EEB5B5958C7C6164067FF876F77EAF1770A6E05E780714879FE4954A1B6FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.892{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P1WYFUDXSN\System.Security.ni.dll.auxMD5=74E5478F4A51B682700233CD6B7C05DC,SHA256=4BC93A21F6F5BE0B8E4ACFB6F96A6F3B1444A8310826E2CCC4DD8862E4D6F3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.892{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P1WYFUDXSN\System.Security.ni.dllMD5=D518D6481A2B6037B8E61101718E6EB3,SHA256=154839515F16941BB2AB2FF9716A5CBCA5FECCD9CEAF9D0D51BA9797F3B98721,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.793{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P0RK1OW14J\System.Configuration.ni.dll.auxMD5=F07B09293E0492E71E96C7A764BB524D,SHA256=A24285135DCD60675A12C5E36DF5B3FD7AEEEACFD305973C262A0C73053C7703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.793{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P0RK1OW14J\System.Configuration.ni.dllMD5=B0386808CBC978446F0D8638C53F9F02,SHA256=7E05166D981CF6FA3157EE088305E2B901B9721FCED6370E9D1CE7511A71AC64,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.710{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OXYH1ETAXY\System.Core.ni.dll.auxMD5=5DCD12C73B9F94AD86DD5CCFF0961B76,SHA256=F48412CADA48829BCA494224CE73B46166853194748E6A93117C35D3A388A473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.709{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OXYH1ETAXY\System.Core.ni.dllMD5=0AA216B359BB985E91C06D6CEC347EF2,SHA256=5EDE9B67C3A3A41FCC240B0D7F27764343BD8C1BB1EAC39F441E00C6E5066C92,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.031{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OOS41VYSH3\System.DirectoryServices.ni.dll.auxMD5=5BE283A9E68591B32773566F147A211F,SHA256=83CFFD1BAEA158353574578F2145C054F207526C8E544F114652C4EF01713BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.031{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OOS41VYSH3\System.DirectoryServices.ni.dllMD5=8CE05080E8212D45575DB5EC52382363,SHA256=B2960982ADB25974561E8356470B1234CDEC00F5FDBAFDC39F221B37F914433E,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:29.946{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:31.109{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111543E9A15926F28F5F471AD538AFB4,SHA256=4A40A5FDFC25117245CBD26777EC74DCB554FF4FAC74C0D06107123226D99498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.745{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88CA6010F473590B23CECE289D495AFA,SHA256=83844FE698CD93AC701A962AC346D2D4CFFA04E4880493C171391873776CA4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.745{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D46502967A9808067598AC7B540543F6,SHA256=69271DC4E477E41E9DC5CA105D19D96192ECDC8BB20224BF72DAF652F35FE10A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.011{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PC4QJUM510\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PC4QJUM510\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P5RBFV7DTM\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P5RBFV7DTM\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.413{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P3LFTWOA7M\System.Core.ni.dll.auxMD5=0B7B3547A6755335583D2C975D27717F,SHA256=CB5ECB0625E0E2D5C2A864279FFAFC96048F0E10B0A47437B6CA6D8FA2DAE6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.412{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P3LFTWOA7M\System.Core.ni.dllMD5=90F0732AF7D2F9207DEA5BD7ECAD33B0,SHA256=C929FD867AE7413965067562351E1DFA8D05721D5A6151A3B575EB94B970F923,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:32.344{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBE0BA5CA846D6E04D08E435F64095D,SHA256=A1B18B56416E2B444B56F3A109B46C08E6B3243748DAD7F2465CB6116D9E53FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=AB98CA7C43DC26855652B207A9BD2094,SHA256=7278E63A49DC8E81FAF4371A8397BE20166B2551908F7525E4AB8BAD22E832F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=C436DD402050BA89DB203B2652F16FC5,SHA256=CF8CF2B136233D56709739233B60EE1AD8AD2E5471C19B96831A9253FC5B007C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=E26ED0E18436CDD1F18ED3154828C9F4,SHA256=25DF6B4AD6705BD75481DDAA7B97CD7B2DDF415877728256B2302DB47EF784E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=07639C381EC0DB010E9C801F1068C1F2,SHA256=8C76735649E8E0D85EB738EE9150C2FEBA1F7036E03FBCD281FA24025B1DAAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=D0C527F6C886FE030322CE9E049C1634,SHA256=92003F4E0F7179DB4958CF7F7FBE9B707F5EAE54676D0E585E0D7F1C4400F70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=4BB7CB6C44DDB6F87452F67E1EB1A498,SHA256=5A72FB98EF23E21A514F100F1DCFDEE94F12B98B996D7BECE1C2ACAFD27BEC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.560{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PYJA7OW6LL\System.Transactions.ni.dll.auxMD5=67EA7579FBE5D95C014B695402882EE0,SHA256=02A0F13F1E4E2882F3F1298FD9F09EDC0DF787CB503D2929A7536ABCE64D90FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.560{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PYJA7OW6LL\System.Transactions.ni.dllMD5=0111D3A2E533281DC6DD7C981CB8CAA1,SHA256=600DE357800878318E9B1C166BF9402EACA737CADBAB9ADCB7FDF8BBA6C67030,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.545{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PL1HU7TT90\System.Numerics.ni.dll.auxMD5=D4AF447AE12A5806CB93B8D78E283140,SHA256=09DBF9D69C0FA8722ED60CCB128241D63E23DBAAC1AC0C3406136024ECC0EEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.545{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PL1HU7TT90\System.Numerics.ni.dllMD5=5FF3E0606A26FD5CED8795E64BD23991,SHA256=3100FEDE83BB1EF84518D4DDF9344F0FA72E1797C5934D4BDC3C0473463C8693,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.476{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PG3AN2E5Y1\PresentationFramework.ni.dll.auxMD5=1CD640D915EAE872FC60479FB1991D49,SHA256=4136E63F0E092B2DB0DB99F29185481D5F9CF9273FB96BB33273FC4B8F077704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.476{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PG3AN2E5Y1\PresentationFramework.ni.dllMD5=F4BE31FD7508880EBE11971999150E20,SHA256=67784892A02B103C517FFBCEB07F743E14E727539AADA82138342FEAECD1C8C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.013{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6429038346E459EB83B2AFE047CCB31,SHA256=0E0667682E694FCBA7D709D19CA52FEBDEEF046141D48BE99C2BD61077E8AE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:33.578{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B7C35EC8D828B5FFA140ABFA89E49B,SHA256=79926102D3B3AAB5CEADE532E26A426C058FD03D89F88F33F27E7DCE0BF5A18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:33.609{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q2MFXXO1IW\System.Web.ni.dll.auxMD5=83B0819F19853C14765B24B1AD811ABC,SHA256=24231188EFF9EBADA282616086E59934ECD0A180EACC8CBA3A623AE1026052BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:33.607{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q2MFXXO1IW\System.Web.ni.dllMD5=5AD420742C2665182250F7D95FF74A76,SHA256=7A8D4B30B8FF51570A614F387F29715B80B2BBC4C7BB4213062AD17DDA698C4A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:33.028{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F97CD35069921DA9A3208F18097C97,SHA256=5C09786903633E0A424B9416A8D8361DB5AC8837A81E72734E13C61DD6D74B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:34.750{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618541B64143B2BBD2777D3C16A029A8,SHA256=EA3BE9A4B412A42AB4AA2C99F1D4501670C666725391D7CBAF560B530A0179EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:34.390{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q5MF3AYVTA\System.ServiceModel.ni.dll.auxMD5=D9EA29F8B3C587F8A388E2C44AF446DD,SHA256=61515EE0004F0BA51135A47837FFBCC51EC1417BF6C4D10BDB1F4DA6E2C17F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:34.390{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q5MF3AYVTA\System.ServiceModel.ni.dllMD5=72297374A83EFE1E568D5F1AA1B4E748,SHA256=0C5281E6416D4F9EEE59F1CAA2C737DB472DEBC0A7F15B038484A51AD2D9634A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:34.059{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163B19EB090A9C7C1B6585DB4F4340EC,SHA256=40D40E2E5C4CEDA514C8B5DC96702CAEC5915FBB14E176962619D596BAFB09D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:35.766{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDFB0DB5F278C718F8DBEBDE7CEFF46,SHA256=63F6F2633D43A58C945DC6ADA8B73DF2A7CAFF78780FD5D8B8E795BDC04A62B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXL4YWDM1H\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXL4YWDM1H\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QSGIT28P8A\System.Xml.ni.dll.auxMD5=6A7FCA88EB093FE1BB082E272AC2421D,SHA256=A5950FA568159B35AA8963997DB039E0CCBABC8668001E24B0E8E7B05467B0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.510{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QSGIT28P8A\System.Xml.ni.dllMD5=D2D51896FC97FC53362B468BA49EEE3A,SHA256=D42A3DE02488863E75FAED49C251D958F8C26CC2F523ACA01D0F0CAC4052F78C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.127{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QGHMUB8IBD\System.ni.dll.auxMD5=4C4FFFC3E154C905C9C643845FCE328A,SHA256=1F43D99B3935FB07CC6C6340C832C92C43495F06826C07A01FEBF4BF1E97336B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.111{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QGHMUB8IBD\System.ni.dllMD5=78947C49BA92424CC6AA6E8CD6D1CB3A,SHA256=4123DF564E230E74A1AB0AB44271D9B033898AE5F9BD741BB3C914D6F1D539C7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.089{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60447DB48F5E61DBB2477A2A4BA6844A,SHA256=AA4C78131593923E81A760CFE406AED28E81A70FE8D27FCE52C6AA21A53DA35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:36.781{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6EA3A3736B8928639072141AE5D24F,SHA256=77C637A30FC03AAF6A5B0838AF754B774448C92FF15DC584D002DA37B987B3D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:35.071{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.726{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RFANI0AIQZ\System.ni.dll.auxMD5=9651A4D69D091A91F7509B493895084C,SHA256=7F97FFC6DBCF14DEF386747D99B2204F6C0BE9C123F585888BF0BC23B424155B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.726{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RFANI0AIQZ\System.ni.dllMD5=0D511A145E1BEFBF8048E4958B18EF8C,SHA256=5B4E622B50F3659A09BC10F7047FB5AECD568565E358232DBD8B85B615F42FB0,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.122{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.173{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7B86D1672D73FCE8444BD703BFFF26,SHA256=EAFB832C1D36C66BF57CA1DFAF7F9A3DBDA719CCC0D3DDD6DCBE222ECCB0C1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXUP2CX6WS\System.ni.dll.auxMD5=0ABA8EE4C96771CD3B6CD56A2DA9CBF6,SHA256=9C26CAC4A3E0C19DF4928C90F5F36A2D5AA689905B7AF3E9A7CBA5B925753D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXUP2CX6WS\System.ni.dllMD5=FC806E761F72F4A41798B08766D9DB13,SHA256=1B6FB65CE6BCF66CE1BFC0BE58F06DD2949012D03BF79CE67EB35A20A5460839,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:37.781{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDC999FA231E36C5E10E27C59B35B02,SHA256=D2F8D03DA087AE9B21C2A18736BBDDF86BE2952445BAB6344B9536FC43536239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.808{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S28N7JUG56\System.ServiceModel.Channels.ni.dll.auxMD5=24C96490414503BD6F9A89910E524FE6,SHA256=90368670D86C6D23108DEFB97877396DB68D63E4C13B11C6F482519FD387661B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.807{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S28N7JUG56\System.ServiceModel.Channels.ni.dllMD5=0B906FCE3A311AB81C8EBEA00FD629F0,SHA256=E7F372A1C2CF8BDA12DBD0860F3562D207689D5C6BECCE0015EF5CA97E7649E5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.741{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RWWS0XEEX8\System.Management.ni.dll.auxMD5=3C0E46C45BCF91E9607FCCE8F2EB1153,SHA256=8B62160D2B2016E7615E19AF407C52A66A6AB89F6AA48255F39D85AD826A6391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.741{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RWWS0XEEX8\System.Management.ni.dllMD5=ED030D562E600AD124F818C0F59AE89D,SHA256=5080BE95FA9CA821324B2094792AE5A473F1CFBC38E20209EFDC3E775D054CE4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RTNTAJ5QYG\System.Xml.Linq.ni.dll.auxMD5=CCF15A1A5478AD4C9A6C5EAC3B4EDB1D,SHA256=80C7E515F2F30459C447E0C663804F04B2325BC9F6246CC881B933FFF502A2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RTNTAJ5QYG\System.Xml.Linq.ni.dllMD5=01675F7E454CEA910CBAEB0A7D4BF59F,SHA256=0F6DF0E70167F51DABB0B82E921D337094D2833E91B72BF4BE15756F8E49DA88,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RLJ402KVPV\Microsoft.CSharp.ni.dll.auxMD5=4F6E2CF657AB3C20B463DF7873DF8594,SHA256=F609CD67B4E59BCAEA6C8472B314A28DCF1872AA6EE9113BF399F45726EB4F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RLJ402KVPV\Microsoft.CSharp.ni.dllMD5=5F895695883F631A993A0F8F582807B3,SHA256=1C785DA125A9DF9516988A97E44348DB77186BA39EFF3C7F82E5391505B61CC8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.472{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RK5K12ZZVI\System.Data.ni.dll.auxMD5=AD2C4453E59EB7892FA2CC4ABD0A7E7C,SHA256=DE2C69FD102FE3E1072F2FA0F3FB9625D65E9059393B2664F5D464A7E3FEA7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.472{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RK5K12ZZVI\System.Data.ni.dllMD5=504A4880B14625199F3F1AEFCCE6B202,SHA256=3F6D6E89B2EBE19C15EDBC2E78B8BE32178FDB37A8C1DB5A46DB8A76701910EF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.188{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1C48AF510A30E66E28EDD69D2F1762,SHA256=813CAB12BE2182D5A5E332C69518344F48F997F89E990F2952D36E82C2061160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:38.797{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FF49C7056767A81ADB987060C50F8E,SHA256=1C16EE539B54FEB8997E507E9839DAD7786ACC384831E20FB3CDD182E47B270D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.756{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B0B023C4DE056F1059856F419B5D9D3,SHA256=826D2E10A94563C3A50A1E990D7E736F4888F42573AA77A58C635A21516E30C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.756{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88CA6010F473590B23CECE289D495AFA,SHA256=83844FE698CD93AC701A962AC346D2D4CFFA04E4880493C171391873776CA4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.672{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SG3QQYR109\System.Core.ni.dll.auxMD5=9C2C1DF16379BF958B0D67E0B3610AE4,SHA256=AFBE99A8170E89F98A87750E88CC02E6E9B7B6E188CA47043EB1B64C68FA0B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.672{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SG3QQYR109\System.Core.ni.dllMD5=E0408356E6103FCD924AC2285DC1C885,SHA256=0D45CD52A92CB9B17E8931E21B3183C8605255624264C10BF9B5AB5FF14D8D0D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.341{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SE93RZEWOY\System.ni.dll.auxMD5=02AA118D8E3C67485AE986D7809E5813,SHA256=B90C0DD717587FAB26AE04FAA85FAB8119FF23CDD5596A954BC5E660BB3EB1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.341{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SE93RZEWOY\System.ni.dllMD5=6D7E9BF18E21AD794AF893EBB009E6A7,SHA256=837C8E670276112124615988CF0B655B6202FD2F351A34F56A7159AF12C4855A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.209{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4933175EFC2B150CD3F0A3215514D764,SHA256=26DE4BBF8080376D3E829648E5437F300EB951D9BD6ACAD8B3DAB467870CCEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:39.813{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9393E47790D5F55C3A6D2C7409B306,SHA256=16347E0752423C7606698B4496415DDD0CAA377F14E3E7099E57E231DA7A2DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.571{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SWWQ6AOVGJ\System.Xml.ni.dll.auxMD5=E01ABDE7405B6917FD52CBCECEDFB15C,SHA256=73DEA8197F091277613BAAFEDBE37A4231410291B5AFABAC8D6907407482215B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.571{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SWWQ6AOVGJ\System.Xml.ni.dllMD5=5F6EA5E77659D339DC666E0BCCD7B0FB,SHA256=D03C42DCD3565491379E0C0940E60507EB8B28F6FAC705F98D68A788AA31F8C8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.287{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SUK77Z1XOM\System.Drawing.ni.dll.auxMD5=DCEFC8B9CB7245B90F2A6AA4084A0F71,SHA256=3760AFB996B9C1860A13167C3DA5FD6B019EE185076145A71387745DC8DA24A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.287{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SUK77Z1XOM\System.Drawing.ni.dllMD5=E8956B039DFD94E1EDBD129DE56F3F2D,SHA256=1DAC647C4642EB0A13A5135BCAF254A30E477CD5DF6BD7DF978F2065CAF5BFE2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.255{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A7DA740D9DB6CB5C9AA9D9C3B0F19C,SHA256=E22E8B7345EF9854929F4EE11DD9B6515F36F66EB3C4875AED0B0CBD795727F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.240{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SU6BGTV8II\System.Management.ni.dll.auxMD5=FE20915E753A6B48C1D7C978C1AFF282,SHA256=D66CA48589CA1B1CCCDFDE70ECB6B57B258A0962DA308809DD46E0F4ABEC0D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.240{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SU6BGTV8II\System.Management.ni.dllMD5=A2398F5CDEEC4226380CB620C5D180D8,SHA256=4007C9B8A5360D49CD4DA98D262DA539AD790AA13CA54712757441B1C56F2980,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.187{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SQ7M0TZAP9\System.Management.ni.dll.auxMD5=A1123A272EA45D0BE152C0EEBD6784E2,SHA256=5B0E627B5F7CFC5A685543302698C7882E396403C78E13DE7A7443221A86F536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.187{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SQ7M0TZAP9\System.Management.ni.dllMD5=1EE419429DFC6FD092EA7828ED535BFB,SHA256=66C905BB59A36F4F0D862B6C9C7125C212BCD31DC12821EEB4B7B72994CAA787,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.108{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SNLOKA1ZYO\System.Core.ni.dll.auxMD5=68F3E83339872D673C61BCDADE513017,SHA256=25ECE5E7917FE392F280C93C69EA441333898E738D28AE8C2F578E364ED7DA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.108{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SNLOKA1ZYO\System.Core.ni.dllMD5=E993EA2898B9C9812D58FFE1AE84E74B,SHA256=28BB8495AE0284A1262A0A7F02F222498059917F05A973937589A60F9C8A23E2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:40.828{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301CA183C36698DA06C8BCC6BA52FE52,SHA256=3386FA05EAAA03F70B67FB774494E5665BDF05D34FA524BA526221DBBD806B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7DUA2RN2I\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7DUA2RN2I\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.270{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C6200E1CD876A9B953AC9CA06ADF2B,SHA256=23BE6A69BAD0274C91D22532D26DB30CE3B8A79B427F7A18CB0CCFC93DD00CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.070{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T35SMSC9NL\System.Core.ni.dll.auxMD5=F17814BA3A499E75D25D8600316A312E,SHA256=83B003AF767D928434650744A536BB23C6BEB46D3D16DD964DBE77382A1EADC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.070{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T35SMSC9NL\System.Core.ni.dllMD5=BABB1248300114458CE418D687F12C45,SHA256=2C4CF0E399747B3A28FAF4BED3A5DB80E1B32E39A1F6AD1A24DCEB2F4BDBD731,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:41.859{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E530BF709E02A297F14F3CC2B43D8D,SHA256=AC3C74C9881B74620158DBBAEAAB66EF2C61C3C50BEA917CAAA6CFFF44ECAB96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000056458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.385{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\AlternateServices.txt2021-07-19 10:42:41.385 23542300x800000000000000056457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.370{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TREBLZ8848\System.Transactions.ni.dll.auxMD5=345B032FDAB64413D929BFBDE26FDCD7,SHA256=2071BD12C470F01C83E6EFFBADF7E960568551E140259A99309F9CFF8BE70FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.354{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TREBLZ8848\System.Transactions.ni.dllMD5=CD8B06DACE1AE70F053FB67F75439D1A,SHA256=0D78871A1A1AFA2B8AE0A97E0D781565C2014C1A4C687D3731557233DD0684C3,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000056455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.286{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\SiteSecurityServiceState.txt2021-07-19 10:42:41.286 23542300x800000000000000056454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.286{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TKH0RXDAYQ\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.286{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TKH0RXDAYQ\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.270{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA095F2D5287A44182BD6DD9C7E7BA8,SHA256=2313AED49508E4283349298CFA1F93D16E944465E3C43BEFF316F68E2E63FBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.254{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TGY81KS0Z5\System.ni.dll.auxMD5=7A44EFFA7DCC91B7C5544BE94DCAB99B,SHA256=82430CD1974781DDBA8E3229219F17123658865551FEC8BC2D4290A1B5106A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.254{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TGY81KS0Z5\System.ni.dllMD5=D52C7EE4CFB46F754E22E0C2A47AE1F7,SHA256=70C0BF60131A45390406D3C461BEE5C0449868CD3E9B41A89FD5808F16D9516E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:42.953{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83ED572EA0AF2746A06E028C361CFD1,SHA256=FBC4AD169BF1625CAC73A3928C9466D1A2E99E9137E7D8EFC8496335F1C48A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.019{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.606{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UD49G3NY52\System.Core.ni.dll.auxMD5=4D66BF5119D58A48BD3F7A7AD7354010,SHA256=131D289921A8DADB218DF0D0E67B3EF964AD315171A92823D7FF5B7881E1CA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.606{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UD49G3NY52\System.Core.ni.dllMD5=2A6660246DC3C48C26515DC456C27404,SHA256=3A9DE09DE10C5F9F3A1D3B49FEF7A50181275A29E7A6B909E2850D80DD736457,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.284{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04F6CFCCBADA3006E3EE3020F4E4186,SHA256=5C8F69E02BAC3082B820B5FBB5F6C078075A4C6C7D109755BF8FB715C3E1F1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:40.993{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.206{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U97084HOD2\CustomMarshalers.ni.dll.auxMD5=1B8DC30D3E1603C9DFC6045DE267AF71,SHA256=9760764A3E526F12D9481D6A6D9590E737DDEDFAB481D8ECB2296CB32C0DF0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.206{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U97084HOD2\CustomMarshalers.ni.dllMD5=53F371A0174862A68DC878FBC0D61266,SHA256=9FB938EC3F9D66E64AD525DE4F30CF27153A929044D64DBB8874CE5B01F8697F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.204{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U739SMKF5F\System.Core.ni.dll.auxMD5=0BD1EE710359986138D606E01704020C,SHA256=039FB40AD72E182F9DC338A4B476A09DF5BC0C16D5D4E6EA98AEF90608E93000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.203{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U739SMKF5F\System.Core.ni.dllMD5=FCAFF91D24B5B6E9F40F800BEA34540C,SHA256=52F9E74C79109EC06AE07F6F4033FC4C264B560FB7082F25CAC99C7A3885D23C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0PIT4VXCM\System.IO.Compression.ni.dll.auxMD5=41EEBA98CCE6653861F4C0A7CE5DABB0,SHA256=30029B1A6AB901F5296117A11EF64E86D2CD12CDE5513326A8322C7389B31923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0PIT4VXCM\System.IO.Compression.ni.dllMD5=222717FF5E045032C8546855A709602C,SHA256=A51C561900046AC9B7FA831C5499459E234999D2E48F326ECC85A94FC5E5C193,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0MLKMHPO2\System.Web.ni.dll.auxMD5=3BF11075FF377DABD00295A10B159897,SHA256=06CD7958ED343C21E2B632F48856453AB2FDB59C7C3B82D30FC94BE485E62884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0MLKMHPO2\System.Web.ni.dllMD5=A0A7A24BBB1337F0F402CA464D0270CF,SHA256=7A6208DE8BAF9327E0195E456E67B16729EACB4BF7CB6D9CD1C9A79F58B1F2FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.867{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V6PJ8FVQ98\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.867{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V6PJ8FVQ98\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UDREXPIV9W\PresentationFramework.ni.dll.auxMD5=8F1FD4778E91747A58145154E17EA5AF,SHA256=5F51126070FAC3B2FE9EFFC6F556531FCF6A24E2CDABA5256662A878DFC9E787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UDREXPIV9W\PresentationFramework.ni.dllMD5=4EB0ACB2849F125982D53B74DBA06226,SHA256=BAB44F496D0350D8D73DD0CC0D493CC1C5F26C6A4959F50CBBDA7560E58A220E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.302{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49084F599DBCB772E864565EA293D997,SHA256=0CF5B144C2EE7FE51131989ECCCEA2C6ACD6E0EBE4DBCE51EA47674CF2970765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W0SJHH1P9V\System.Numerics.ni.dll.auxMD5=FC4A9B25E8155BEA4F2BAD2E9934B186,SHA256=E75825CDB00102013ED61BA8DC72868336265A7A43AFE27482A839A08E34DE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W0SJHH1P9V\System.Numerics.ni.dllMD5=0302AAD9C6C6C01BDD78B04909FF39FC,SHA256=EF8E4770CE7024DDF0796A901E32C0D76F1ABD6508ECF24129A56EB18CC7C677,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VX4BCJ2LB7\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.967{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VX4BCJ2LB7\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.883{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\y7l8cnva.default-release\cache2\indexMD5=A5591CE17034C565965AC09B3D45409A,SHA256=E995CE7CDDC8897407AAC246DD81154D159D9FA2CC23E9A4442FEF36D3831526,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000056485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:44.867{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6676.3.125328132C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:44.867{43EB4363-55FD-60F5-AE08-00000000E501}6676\chrome.6676.3.125328132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.867{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55FD-60F5-AE08-00000000E501}6676C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29f47e9|C:\Program Files\Mozilla Firefox\xul.dll+29f5251|C:\Program Files\Mozilla Firefox\xul.dll+29d22ea|C:\Program Files\Mozilla Firefox\xul.dll+29d3924|C:\Program Files\Mozilla Firefox\xul.dll+29d6413|C:\Program Files\Mozilla Firefox\xul.dll+1a72d19|C:\Program Files\Mozilla Firefox\xul.dll+1a6d767|C:\Program Files\Mozilla Firefox\xul.dll+58ae95|C:\Program Files\Mozilla Firefox\xul.dll+58aa11|C:\Program Files\Mozilla Firefox\xul.dll+2ec4125|C:\Program Files\Mozilla Firefox\xul.dll+28808c|C:\Program Files\Mozilla Firefox\xul.dll+286a75|C:\Program Files\Mozilla Firefox\xul.dll+1a72550|C:\Program Files\Mozilla Firefox\xul.dll+532865|C:\Program Files\Mozilla Firefox\xul.dll+4ced26|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+485239|C:\Program Files\Mozilla Firefox\xul.dll+1c72dcc|C:\Program Files\Mozilla Firefox\xul.dll+155772|C:\Program Files\Mozilla Firefox\xul.dll+101613 23542300x800000000000000056482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.600{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VOKV399A76\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.599{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VOKV399A76\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.582{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGSM4TUE6Y\System.Configuration.ni.dll.auxMD5=EA64890856D84601CF0F15F8F925876E,SHA256=BC3CBF89983AF4F608D30A0FA34FB62C3F716BF7B77DAF65A806DD567D4EEA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.582{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGSM4TUE6Y\System.Configuration.ni.dllMD5=7C4B6B49CBB1C3DBAA853BD4E51B378B,SHA256=91DE196C16599FE3164E02F877E74D5F2526AC8C0B8DFDDD3A07D072654E8E98,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.520{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VFP45VJMS1\System.ni.dll.auxMD5=9DB501C48DC60DBFB5B0DEA1779EE47C,SHA256=A0D973D80250931A6FB9EE13DF0B860E736D456AEA631120A0012B15DAA98562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.520{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VFP45VJMS1\System.ni.dllMD5=250BD9B205730F5DAA6260EEF61B4390,SHA256=E2ED60C97B5D4342A06BE98C8930413714AE287B8E678833C0A81DF457D20101,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.320{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F94D833505D9148D975A4F7F3AB7A11,SHA256=0EA342BE7CA574A5CEBE96F70E1147511A2F14F43F06CB5670C4A9FBE4402A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:44.047{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961A81B83D8DB89046C72E3583293464,SHA256=B95A0C3F3195A7FE1556A0A27E1EB00F4537008FFB14E0926F4477616E9C6ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:45.063{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52CC9EA5A14658923C443DDE7791FE5,SHA256=3500F0DD0E2BF6160BD696A766F5EA02655600C8F5289DD4910475DB549C19CC,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000056539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.54.139314391C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.53.117275825C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307c21|C:\Program Files\Mozilla Firefox\xul.dll+1866ca1|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.52.11278245C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307b21|C:\Program Files\Mozilla Firefox\xul.dll+1866abe|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.51.78117614C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307a21|C:\Program Files\Mozilla Firefox\xul.dll+1866904|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.50.4550575C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307921|C:\Program Files\Mozilla Firefox\xul.dll+1866745|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.49.172768231C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29f47e9|C:\Program Files\Mozilla Firefox\xul.dll+29d4700|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+29d439e|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+29d4315|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406476C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+122110f|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+1fe73|C:\Program Files\Mozilla Firefox\xul.dll+11fc728|C:\Program Files\Mozilla Firefox\xul.dll+1f215|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+1e76f|C:\Program Files\Mozilla Firefox\xul.dll+11fd4a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.897{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.897{43EB4363-55F0-60F5-A708-00000000E501}63406752C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+4330b|C:\Program Files\Mozilla Firefox\firefox.exe+24848|C:\Program Files\Mozilla Firefox\xul.dll+cfe4da|C:\Program Files\Mozilla Firefox\xul.dll+1217834|C:\Program Files\Mozilla Firefox\xul.dll+1215b02|C:\Program Files\Mozilla Firefox\xul.dll+122249e|C:\Program Files\Mozilla Firefox\xul.dll+da6214|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.892{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe89.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6340.48.475603127\362275863" -childID 7 -isForBrowser -prefsHandle 4856 -prefMapHandle 3832 -prefsLen 15150 -prefMapSize 232815 -parentBuildID 20210622155641 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6340 "\\.\pipe\gecko-crash-server-pipe.6340" 588 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02LowMD5=EB061721B388D0AB67504EA4E0B9CB90,SHA256=F01545312FED4B611BC377F700B6B3AD16C5792D1D6AA5F695D61D8A7B0F23E3,IMPHASH=C483AB042998E5D3F9AC1D5A7C7ABDB2{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000056504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.882{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.48.47560312C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000056503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKZTAV0AK0\System.Numerics.ni.dll.auxMD5=1964D64FF04708A0CF5838B9DF1E6988,SHA256=30E5029EC1D69530F1631F056368F3DB0F87DFFCA5C3E7C0D8F81706B0BFE044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKZTAV0AK0\System.Numerics.ni.dllMD5=8E902B0115147C7B7399AC6133CFD38D,SHA256=D4DF764B7FA01B0EAFF612668AFA401B6BBE251A7F89E3B9D935479EF6259E43,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WIAV2QPVKF\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WIAV2QPVKF\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.666{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WFQN4O5QK0\System.Xml.ni.dll.auxMD5=0065E7A8A8E46E486B81AF49DEDC3662,SHA256=16EC780118ECB011D545094DA54471D9E80EEEBFD7B6FC6CC36C0950B74782BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.666{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WFQN4O5QK0\System.Xml.ni.dllMD5=AE3813D8498A050E3F1C35361CBB502B,SHA256=D6ADECF0D79D00DE226C5558372C5A2AE2F662F9A9F0BAAB1CAE8FCCB77A525A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.320{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6375D54C80B555EA94208AD68A01E748,SHA256=048F63E64D44F90BBBD308A42470AC3FB121CBD20B915D9D3954B410DDAFC924,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000056496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:45.083{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6676.4.37372308C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.083{43EB4363-55FD-60F5-AE08-00000000E501}6676\chrome.6676.4.37372308C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000056494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.020{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W50MXUJNJZ\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.020{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W50MXUJNJZ\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OTATR3BA\UIAutomationClient.ni.dll.auxMD5=49EEFA3688F97076A8DC47723F5C4845,SHA256=D64824E803DF08D47FB0EC670C5695F98C0B58A6537ECE77006412EB6785766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OTATR3BA\UIAutomationClient.ni.dllMD5=1C08FF101FAAAFADEFC6F118ADE6297B,SHA256=126D05D508BAC0D8FBCC8E6863A936B443B5A47E03A34F956F0514918A00D001,IMPHASH=00000000000000000000000000000000truetrue 22542200x800000000000000056553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.827{43EB4363-55F0-60F5-A708-00000000E501}6340bazaar.abuse.ch0type: 5 p2.shared.global.fastly.net;::ffff:151.101.14.49;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000056552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.827{43EB4363-55F0-60F5-A708-00000000E501}6340bazaar.abuse.ch0type: 5 p2.shared.global.fastly.net;151.101.14.49;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000056551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.889{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09D8FE0EFDFC331A9FCC2C8C2FA04BB6,SHA256=12D4219D1556E6FD80CBD9D9DB611EBB496C86C87392A24CEDCFA4BBC443BD85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.888{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD96376F35C0D47B58E1E92D12678AD1,SHA256=0373584F998CF24BFB40EDCDB74518DF3606A99A01C5FDDB9E9F30DCE8C87D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.828{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65069-false151.101.14.49-443https 354300x800000000000000056548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.821{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local57981- 23542300x800000000000000056547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.344{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2F37BFFD846FFC75F987DDB1945DD3,SHA256=4E12867F7F49EC41ACDA0E569E8DB788058D193BCF75966236610AFA0A8D7479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:46.078{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4CDBAB2AF5D8A0B73B01B130E6EE37,SHA256=A51350B4F4806EB7A931E3CD71A2B7C226484E433B285A866108D335642C7E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.311{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X2S77D7DWO\System.Drawing.ni.dll.auxMD5=8BA67D8C1268098CFBBA2A626FF8FC6D,SHA256=4739DF54BA9C20953325031131B36E067190CF704B808F6886195A3426F3E43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.311{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X2S77D7DWO\System.Drawing.ni.dllMD5=25C1B73B943AFAA7C8CC9475EEB22DBD,SHA256=5C5CB8277339CD69DC9C42FD25678D6752321C18797CAA37349203D499EB5610,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WPILUDZPG6\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.257{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WPILUDZPG6\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.242{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WLMOZX3B9O\System.ni.dll.auxMD5=FD6DE591D3545BD3186DE631F46BB80B,SHA256=D9B496E22C03C6FE99055B4F3BE41057867B2190F6032B0E7B386988E37046C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.240{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WLMOZX3B9O\System.ni.dllMD5=94AE45817D7A11DB2165BC6DF4997AD3,SHA256=45879B1C723A5AE6F9577A9BC99A145C15487C5CD4FF456EEDBCC87403041C9A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.124{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A0FCD2B4F29474A24C552DB24FC8B3,SHA256=F65DD5088AEC3F1A15AF860914351F32B69F5213EEB6B60C8E385D2651E8E31E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000056587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.828{43EB4363-55F0-60F5-A708-00000000E501}6340p2.shared.global.fastly.net0151.101.14.49;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000056586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.127{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.768{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEFBNA36PH\System.Configuration.Install.ni.dll.auxMD5=5A370DF59B981781F12A7F3A37D66361,SHA256=110B34A25634C7C5EFD6242F5A78BB129C5DB3A8F7BCD745233898DF3B63153B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.766{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEFBNA36PH\System.Configuration.Install.ni.dllMD5=BB79E90A6CDC752EC6FA8D004D881F82,SHA256=094F1E63ED0E7041F3C57AADFEA670CE53997439B064C4C5802CE19434004860,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.759{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XAOAEWYN6S\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.758{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XAOAEWYN6S\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.584{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B323C3556C494BF3266004D20E592AAD,SHA256=414C0344F79B0131C2BFC1A8C9331B780156FE1E7A014CD34804515DEBF66A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:47.094{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB0DFA9B8445201E7CFE783B1ADBDD7,SHA256=7575AE5CA5054A70F544ADB7AC3E2FC659ED7692685C2023B7EA6D477C2B5267,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.308{43EB4363-55F0-60F5-A708-00000000E501}63406744C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+121a0bc|C:\Program Files\Mozilla Firefox\xul.dll+13233a1|C:\Program Files\Mozilla Firefox\xul.dll+1f4e71|C:\Program Files\Mozilla Firefox\xul.dll+1227e54|C:\Program Files\Mozilla Firefox\xul.dll+4127f|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000056579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.307{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.50.4550575C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.307{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.54.139314391C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.307{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.53.117275825C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.306{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.52.11278245C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.306{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.51.78117614C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.306{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.49.172768231C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.295{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.294{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.279{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6YBSYVLCJ\System.Web.ni.dll.auxMD5=F75844856EE6FABD9C2BF434525D8F9F,SHA256=1F40EEB68BE036B5E0B884535BE71578A36B57947ED17056394FEF8E5E411B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.278{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6YBSYVLCJ\System.Web.ni.dllMD5=42107A9680DD1F0C15ECA4BD0B4C3A45,SHA256=E865E3843039ED20DA42936DE4AE5A66B282101FC494E5676F6BAE458429D669,IMPHASH=00000000000000000000000000000000truetrue 18141800x800000000000000056569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.264{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.8012.2.5707645C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.264{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.8012.1.127151997C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.264{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.2.5707645C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.264{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.1.127151997C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.256{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.0.101318715C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.256{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.0.101318715C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.255{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.254{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.221{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b3568|C:\Program Files\Mozilla Firefox\xul.dll+122d767|C:\Program Files\Mozilla Firefox\xul.dll+12e44e9|C:\Program Files\Mozilla Firefox\xul.dll+29dfd24|C:\Program Files\Mozilla Firefox\xul.dll+12bfb3c|C:\Program Files\Mozilla Firefox\xul.dll+1227e54|C:\Program Files\Mozilla Firefox\xul.dll+da0207|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000056560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.221{43EB4363-55F0-60F5-A708-00000000E501}6340\cubeb-pipe-6340-6C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.221{43EB4363-55F0-60F5-A708-00000000E501}6340\cubeb-pipe-6340-6C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.205{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.199{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000056556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.198{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.48.47560312C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.194{43EB4363-55F0-60F5-A708-00000000E501}63406724C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+29ffab|C:\Program Files\Mozilla Firefox\xul.dll+3a5b85b|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000056554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.194{43EB4363-55F0-60F5-A708-00000000E501}6340\gecko-crash-server-pipe.6340C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000056593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.664{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local54109- 23542300x800000000000000056592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.605{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93CA993221DBD31FB7F893425ECA415,SHA256=0F692D2EF6AD19E32BA322FB987F886CA2F104FFDE1C81D7B3A54A0EACE0ED49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:48.109{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7559CF32F6DAC1A31BA523CDA362140D,SHA256=6DAB13789E6925AC45764BF28809537826152CB0365351B57BDEE1F5A11AE945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.274{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XGTN4JOG04\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.274{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XGTN4JOG04\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.270{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFM9ITHJMN\System.ni.dll.auxMD5=F974195E5ECE86B40F7C98CEAFF80650,SHA256=6FED5EE609434200BCCA2E954E4FF45678A458F016A429BD3AD7BE480AC33845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.268{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFM9ITHJMN\System.ni.dllMD5=13DE7F98F0CB9EB352C90FC60D125E6B,SHA256=895BF50B6C923C70F9F96ED6117D4F5929607376E5F00531F7E0E9209D4A1028,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:46.103{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.972{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZZT9OSN8RI\System.Transactions.ni.dll.auxMD5=999D14BCEA16BC6927359881D4D39D58,SHA256=E951F9BEEAFE791DF0F3CB3AFE9BD07BDE358EE20E01DC5F2018DDDB466EEC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.971{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZZT9OSN8RI\System.Transactions.ni.dllMD5=069D6E12D3CAB923FD4E8AC75EE89BA1,SHA256=F4957C4BFCF882B16615546FCA8A910B09508E5520C62914203915BA51DC3DF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.951{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXIE4TWQX1\System.Numerics.ni.dll.auxMD5=03FB751D7366F1FADBD9267BF1C0D693,SHA256=5F68B3516C69DF888F1ACC44B0A716CE8E63DB995BEC4E8DB170237BC10908AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.951{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXIE4TWQX1\System.Numerics.ni.dllMD5=282F0EF6FEB85C1AA8A4D5EAED7B0345,SHA256=9999B5F5E7F6A025582ABB469F2B898514033BC187344B9CA7E507DAE28CB542,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.951{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXC84VB1B5\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.935{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXC84VB1B5\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.935{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZWB27RLG8P\System.Management.ni.dll.auxMD5=DB8ADD4CB7AB7C2BECB6E5D2876DCD98,SHA256=C508A4E3185C74167CBFDFFFC0296BAE94CD0406996404244EA570FE5FD4FCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.935{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZWB27RLG8P\System.Management.ni.dllMD5=4840576F30CADC46214E01EEB1DDEB0F,SHA256=182B6C71998AA6298C694DEE7047C8D4E74228A3B112BE72EA26694380F7E86B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.872{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z9ZNHXO485\System.Core.ni.dll.auxMD5=FF4E2C92B938268E23AEED9F7BC732F8,SHA256=19FC78637B8A3B2A736A0ADD2E08F35E595E8854D68B668FB03022BD4AAECBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.872{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z9ZNHXO485\System.Core.ni.dllMD5=95173A32BB22297C898788BECB82637B,SHA256=EA0063A4BEF0AD2C8C8BECBFF53222AF78D9E5C3199903A8CFCEA2E63BB78C24,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.620{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73467D7F3837BF557E852B167EDB444,SHA256=83C3CDDE93E7953CF962738F8ED12CBDDE2D3787B6E0431A2A0640C894B62243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:49.125{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2450031454D2F43AE46D191D1CCBD9,SHA256=E396BE2EFC3546D66FA733B96956BBC0B2A0387F1E2CE11225908BDB1174C35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YW6H3N5KJN\System.Core.ni.dll.auxMD5=837ED7C37327AAC0A3D72346C92C1E33,SHA256=03CCB7D13D93251175DE2ABAAA91E995C4A2FD627167E2E150B73A0B68C288FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YW6H3N5KJN\System.Core.ni.dllMD5=FE8274D8E31521C1EE127F0B9A468B11,SHA256=5EC1AB20A6FC7C8B10B5915D6BFED9B96EF524DDE933816D521A21239C339D16,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.089{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YM71E75P9W\System.Management.ni.dll.auxMD5=57977DC6FB73B7EF9F0429019FFA5061,SHA256=4AF54F621129F716BF4E9F92298BB592D79AFF11267EE8784D371BF3322E9209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.089{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YM71E75P9W\System.Management.ni.dllMD5=C7C2C0EC4382A20A53972E3E36772AEB,SHA256=4D17386AE4FC46A77C2BF66733B014E6E19C8BD7864D6CAD4606DFE286FCC469,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YBIDL94MA4\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YBIDL94MA4\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.021{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y4IA8CF0NY\System.ServiceProcess.ni.dll.auxMD5=29E6A003183458CCF64AB3D7FD5E09A9,SHA256=60A7576757C609BEA9AC9B80C89C840C25628B230A49E43AE3297DC76FAF7D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.021{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y4IA8CF0NY\System.ServiceProcess.ni.dllMD5=04E405537AA94EDFF3323F0467D26778,SHA256=68136A857028E1F557F9FBB105346CC072FF372608AB0F448A7BA6AEE555D34F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XVFFVWAZ7P\System.Data.ni.dll.auxMD5=1048C0ED575A23FCAAD4A2A3D4AB051D,SHA256=4BF180857736CBED625371F3063FB75AFDCEA6BB064FB787B1CE79717F5B522C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XVFFVWAZ7P\System.Data.ni.dllMD5=97B08C7C842385FA82BB242375C02597,SHA256=12EDACC3503A34EE8F82B27C2E63D46FEE7F5C01CC2D8838A5ECD39FC615074D,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000056625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.753{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.654{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73196D41EEA742130D5B3969C58CCEEA,SHA256=31347BF394579D5E1861AA27EA06F3B0936680B799648235D1FA56A8B9C3BC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:50.141{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BC0E7195C52A0A089D2516C5A8906E,SHA256=585A52580C7DB251F6F1103CABAFF3968AB26379FE00AE354DDDE30019A6BC45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.488{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C2-60F5-7508-00000000E501}1960C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.488{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-0F00-00000000E501}344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:51.375{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA3482A9864CCD4434DA786FFDEA3FB,SHA256=6408C34C2F03AFD01143ED60796F042D6E62DFDE9A572D6AA9628EA15BD31215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.945{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.793{43EB4363-572B-60F5-0409-00000000E501}75047276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.777{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09D8FE0EFDFC331A9FCC2C8C2FA04BB6,SHA256=12D4219D1556E6FD80CBD9D9DB611EBB496C86C87392A24CEDCFA4BBC443BD85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.714{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F996CE289CD479B9F764C43770C9CC7,SHA256=8EAF9C6018F83C9BB55D5E6C08021775F368C45EE96FF00610D3D570AA2DE6F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.614{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.612{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.612{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.609{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EC779516385F1DF78CA7783A5813F9A,SHA256=8C906DC1BC76B5374AB2C8AE37AF1A6890ACBD7BAB412A7296DB5255CEBF3934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.109{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B0B023C4DE056F1059856F419B5D9D3,SHA256=826D2E10A94563C3A50A1E990D7E736F4888F42573AA77A58C635A21516E30C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.102{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1300-00000000E501}676C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A6-60F5-0C00-00000000E501}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.729{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D289965D8DF54622AF86D345473B356A,SHA256=DF59893CE2746271B9878D367CEB55E8632B5CAA73B3794488838764070E0078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:52.609{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6285B267A46CC7EC299662764F5589CC,SHA256=2302616F0E6BC20145C69C50D3515B72F07A92444BEC397F1C681E0242807A68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.163{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.145{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EC779516385F1DF78CA7783A5813F9A,SHA256=8C906DC1BC76B5374AB2C8AE37AF1A6890ACBD7BAB412A7296DB5255CEBF3934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:53.828{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92BFC62941D8A3D97BAFC5714CD53EA,SHA256=26E77C63123F2712DC0EDE0C4B1ABB13C154D6AA22E3C7D76BEF87EBD6546A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.745{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB660CA0FE36C2871EA310E74571FFE,SHA256=DED56A5D8D40ECDC11175C38F16DC1129733CF58B5E24F9292A998A6643EACDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.328{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.213{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7FA198DC2332D22D30984BF9BDEB7BD2,SHA256=EF358935D498CECBEA36D3360BC1C8BD6FC44AC4C913B7EA5EE6F5352E68CB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.175{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1D8F4A1627BF2B5F877BF936B73E35F,SHA256=C66A34B787823EAC63929194772438E12F5A9C60D64593C5E721A90E218058B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.931{43EB4363-572E-60F5-0709-00000000E501}25764840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.909{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8A08-00000000E501}4852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.862{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.764{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.747{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3BB9708249C6DC497B1EEB00D5912B,SHA256=FA7EB85590F653EF7468119F443E623B9C51F31A9B8561AEEA483D753C4A1012,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:52.024{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.660{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=849C6DB78ACBFE5015C0DAC674F7E625,SHA256=FF44A736293BEBC96AD8B7E74BAF1235AA149B79543C88E2E441DF84E0C2A814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.459{43EB4363-572E-60F5-0609-00000000E501}75847620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.244{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A07D22C503E624854865FCBB6E9CF948,SHA256=D759B80F36FEF31F7672075F91A0009B790C7E5A0B88342544D9573CDFD1AB33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.230{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.113{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.044{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:55.793{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5552B1FC2768EDE98B410330E83C455F,SHA256=537439FD1688E18A70D562F8A772C9076E3014E43F664A8A73FB3FDA4734F094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:55.762{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D179CAB500920B6C4E58430302D3A9EC,SHA256=D08845737329504002A21AD7DB29A877A9EFACE3FC59524F4EF6904BED48554E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.673{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.063{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A856A6A7AC8BEAD6E9232FDDA02430,SHA256=B5F6E08E9BBE57A6C5B37582211D35B3E585FACAA6B2CADD75B63D69AD54F720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:55.278{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AA5CE1E5F4752B501302E2F59C69D41C,SHA256=FB27DF64DDA47D51492A8954F8A697E523075DD2378D3387F916EA864080811E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.578{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.578{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000056712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.913{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.913{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.912{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=86919EA02B22AECDB45CBE142DC90841,SHA256=31B26CFAA610A29AEF68FE20CFB8485F348F96A502ED46F5E3B09ECC1E1953D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.909{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.908{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.909{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=7F317D6B9B84A07E133ABA33521367DC,SHA256=B5968B65650E20A4EE1C9E104AC7DEC4DC94095D30DC756539C4B72831DC490C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.892{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.777{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF13ACC1DB38D82F0917B341D39E02F,SHA256=7D33616F299DE5D4CB9A818B9385ACB6EF372021754BDA456C193DBE7E236B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.672{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F0ADB902E05E19F3F1DD555850F59D,SHA256=CBA7146DB4AD25447D0B557D90404D7A8263AE69E170E64B57FFF8CBD5BE4A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.672{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D04892B0C8C950349359F687EEEB6A4,SHA256=4B4366B795B4A56919CA1DC9925F8410CCF8BCFAC7A470CAFD4723C6C3BFEE78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.297{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E93FD031529C09481F0EDED58E1C0C,SHA256=1020DB17EF8631D10724779D8EDA552AECB5CF965785EC963B033A4FFF11F1CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.561{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.315{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B6E5B3D4CD9104283C3C0E7C1D1EEC4,SHA256=E7CA500D2CA51EBCB1634A4EA9CC60BCBE1EFC5EFC6B82318275F0AE6DD37159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.231{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.212{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.940{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04B53DC4DE06BDA8B6917B565FE395E,SHA256=11FA232BEE5E5959CC9A77A26F4F3CF14AFB3AFB2B82B2BFE90F2C45C347AC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.791{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A1B0AC1960E43A2CC571E219DD3433,SHA256=29F374DF88429BCF5D5096995B5CEE9534C81419973DA40AC97ED64F68C150B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.560{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.361{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7571A72E5C95B8BBB2882184E0F99160,SHA256=AF42C7655B4AA05EA99F3E79BE8D7562AFC1CB4227DA8FF3B93AE2D7A59B2701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.261{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=325C6D0CD8BD96A4F2F2CDACD446D2DA,SHA256=220B5E24A21EA470DAEA7179EA4D58645113A72F463DC0A19630EA1F1925A29B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.076{43EB4363-5730-60F5-0909-00000000E501}52968140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.156{53AF6CEB-5731-60F5-F605-00000000E601}10523460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.985{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.953{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C7BF790C66E8CF314DB041D2785DCD,SHA256=9FC5FB2EBE2C3A039A20551C50EE8CC36261B60C4CAF249ED7311A1053630C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:58.809{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EC4AED7D9C5012BC38071C10D31EBC,SHA256=5002A1D5A0F98000D01FBA0EAC91573169B5598742F56F5E0E8E8C327FBA645B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.094{53AF6CEB-5731-60F5-F705-00000000E601}34002012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.016{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F0ADB902E05E19F3F1DD555850F59D,SHA256=CBA7146DB4AD25447D0B557D90404D7A8263AE69E170E64B57FFF8CBD5BE4A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:58.407{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=66034C94F9AAACFEC09815519013EF1E,SHA256=A40BDC2AA78039ED7E51AC5FFD18DE972CC93B26306735630C9D1C638BFC664B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:58.060{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8A08-00000000E501}4852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:59.828{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41B1B5F04CC2882655094859AFB1719,SHA256=AE33345BCCA441EE8EACF50B6F7639DE476CB15199D16931E5F7DC566E1F8AFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.859{53AF6CEB-5733-60F5-F905-00000000E601}28884052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.657{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.156{53AF6CEB-5732-60F5-F805-00000000E601}15323852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:59.412{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9FBA8030AFBF714B8FED7773A1A80131,SHA256=9940AD049145EC1FFD508E45925FD767F93304BAC4E2C39484D653AF98743491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:00.859{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B5F70CFA123A34D82056516E82EF9F,SHA256=A32E30DF16C0AE84593E5D91D45F8F38187CB7E97D239142B4A43BEB9D33996E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:00.297{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54ECDED2BCB83B6C0FC7D01595A1A12,SHA256=4B77B466DD16F4047235495DB82E803594E3ADC7B237DC96D9C55A20355EEEE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.993{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:00.474{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4C31BDB4E47EC6D50458B7B9D1A5C7BD,SHA256=EB9C73C0CD8966A39EAAA75B62751446226143C59471C4412533C928FAD60AA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.978{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:00.000{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88BA7BA222C3F2692924FB1AA9FB81D,SHA256=7F95B99666009016999C9C2B261509A7305C3B891A036201FE5CFBF8865578BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:01.988{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE879FD9B31A31A311C55C07FE88BCAF,SHA256=1425788395BB4C6BA954170A1BA0C46A5C918AFC3F936D8214C520D288FFC637,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.313{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0533DCFC96996F0125E89654A59AE30B,SHA256=7A22A0A0A7394172690420183158781A689D0079E3CBD6FD70736161901087EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:01.511{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9F753B674D9FA9071F8CC765505A2C95,SHA256=7E0373825EA145B76841AC22F1385773A893C3FDD3E474055E8EF6C1C245C8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:02.536{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F222B61B8F74EED40CEC29EFF6352C,SHA256=4893F0E69F38018F29B52A23FDB3D72020F4F1A5C8E4BEBA28253C959C6285F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:02.992{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C50EB94881554E06091D470F2C1820,SHA256=CB973C796FEE489C5280D7352A2E5D5D03B12E3C7FF89C9551D6B4E4BD8DEBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:02.545{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FD4C1BC85D796C28954619B5BBDCF35,SHA256=7D8B7C3F411F53C574F801E29888C00F2CE23049415EDA38CD4F65A013A251E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:02.458{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14081448347739268F7B209E2227D2CA,SHA256=9780597538E0A41D07BA1BCB9E10B351D82EAFCAA3884D317A796C422B55F865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:03.770{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409631529FB0579AD5EB59506B4C201B,SHA256=41F537D7367FCAFBDE0707517D9585CCD0345B5B76B432482565F95DF6944E7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.660{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8908-00000000E501}4428C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.576{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=86DA9FAB8C8194CF154780F884325569,SHA256=E7F4F3528ADB01889B4F04C7725129D79E5D5B150846F2C748A7AF7E8106ADD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.291{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.643{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6252BAA605A4DEDC1C00223F7563D87E,SHA256=9019603C61800D1CFDE90246CA46830BCFD31B379B898DEFB5743DBC0E96B8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.590{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.060{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.010{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AA2157CE1693904405902AB27C2E77,SHA256=01D27226381B473031C0CFE81BFEB9014415E8894CD839C5404919137EC63377,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:03.107{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:05.005{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059879DF4AD65DD7B22247B90FA8552B,SHA256=4595763C0EB52AD4EE255B1462AEC3F02B77BCC7FB2F792295ECA753009B65E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:05.674{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=93337FD73FEE5B100F7B692BEA58C0B2,SHA256=BE2F12FEAA1FF09545E467E9D1D4359FC6C087C84C8E62960F5F65D6AEBFE496,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.093{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:05.027{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1FA44025E6CA4DF61FD60FDC057326,SHA256=106203EE0591C9EA70E7B761A0552792BD9097E12728EC73BE7E8AA64F722E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:06.020{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7631F2A974FF4155A53580B1771E09FA,SHA256=AE86B42F5C903C6B2010D63B351FAAF62D9BD39A0DBD4AC9FBABEAF0F9E09A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.811{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.709{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CD032AA985093D95DB1F4E990A3899A3,SHA256=BAC4DBD087616B93192146B37BF536B43FF39F3362C86188C865F1820EEFBEE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.508{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.111{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.042{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172790F40E52FA86F58BCA43DCAD3CA4,SHA256=E3A645144CE1D5A21FA254373BBD3EEF070DDC0C79DEEF65597C2999E05523CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:07.114{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A25164D4A125139B6870ACEBA830C53,SHA256=0189A22DABE64BF5013DC390BF3E72D2962CB17C2AA06CBC2638B71E633466AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:07.743{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=136643211E44BB95972536CD8C43F93D,SHA256=DAA45793C2E9AB821F82F7C2C281296E4832FC76A2D4497323DDA0E9FE504C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:07.507{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:07.043{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF6438DD94847AD4273BF02A2F92F06,SHA256=8003D9315436ACB2465E3DB9805A1F94F7D0C98857F5F6D2FE4624BDC7336A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:08.114{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B45F1C6A322F22FA2CF34A91D4C11F2,SHA256=08F83B898CF40F6E98A554494D59A48E896F9D7CE15D49BC4EA1A677BABD086D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.842{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D4115147A1A12E26180870385E9D510,SHA256=3CD15C738C2852DF91411ECFC90964E3D3F6673FA77F8B67886BCFC656E75568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.358{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.358{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.058{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFED1D4EF2FB0D4F4C514E06E1123A89,SHA256=926A4A2B7C3C39705E1A757DB87BD615B4B448EB65312C3E54B2B2E0C6CB4AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:09.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3A0B129125966AA7AF929EA57DDDBF,SHA256=4EE32E4FD76EBE7399858EE4531F5D8DC1C054BC4C8B83D01119A6F859C73C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.973{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2DD2E6122FF411DA7150D684AE28EDCE,SHA256=90F5B3435F4847F6E3CF73C540C2F7323950C65EA2796122F250E52F8A77136A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.089{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB13092087478877DD2F3757A3704BE,SHA256=F509B91AE6886C511EBB57F7A37118F3B44651DF3691481A96CDC90387FC7977,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:09.044{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:10.380{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685BCCF6EB74000868FD8CD420F050A0,SHA256=09720EEB4DBD19CC9FD92599A3CC918F1CFF47D480F4B51C141028B283FB2080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.987{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=73D8ACC4A7EBD27ED374346EDB12882D,SHA256=FA0B5C92AB7B3ABE34CC060D8387E359CF6ED54F13377674CF6A06C0F2A91C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.809{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.157{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.110{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E196F478069B555C887F6FB7AC7838C3,SHA256=FD3A654185CE6BEB20F297B1F68D84C3823E6023A79205109DBE2DF2BDD54D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:11.505{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515AE0DC51B84298E3F037D2DA052EE8,SHA256=4F0497BCC36D4A90612039F272254B461A5B0F561DD4BD94795E1AD221883A19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.023{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:11.130{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701DD91A469337617733AE4E1B57DFA4,SHA256=22BA6EC5AB8A41AE3AF62589CC25B40F2A83D7CDAF33A1EDA246BBB574353C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:12.739{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010224F4059147E407D177CFB580A932,SHA256=6FF8EB760D5AA87E9AC2257E0C9ABA9C8F2A8A1CE6735053E1CEDD308CF0886B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:12.829{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:12.145{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FF0F59C76CC4B5CC9822AC034C87D5,SHA256=40FADEF9EA807843A743365369599DD4E25F0FE50568081830247C799DE1DB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:12.013{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=851A62048CBFC92E993B54A57FFCCCF1,SHA256=8C2B79D92D0C3A8D0A30E89C3CEF95CA03E0C7BACBDEB90CDA92060D2997FF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:13.880{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476173FCAC668F7F76CDD6D9BB25E084,SHA256=BF2460D4F2B71BA4668C40A1A755E201D0FBE59DE11C085AA4C24F0FFDFBA6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:13.160{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F10BDEE760297A0883E545ECECF043,SHA256=524A93746D89B319CEFAC874E55A0D4587C790EC40EBAACBAD19E8ABF1672566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:13.060{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=36FF545DE5D486629FF88B6E09C6F108,SHA256=1DD6205341E902674A5C86BED109298BD3C75456185254AB82420BCD8FB22E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:14.895{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCA4EEF86E480DAF666D60420F22DC8,SHA256=35EF31391515478E7600E558160453E2A0E712A2B19551C585EFB26B352C3139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.830{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.177{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.177{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC6A90C8B8A56346D9DDFDF281E31C7,SHA256=AEE90A91E15AADC284466DC9A7E311D9D83C63EC971C61DE140BC419CFA5064E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.092{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1BDAA0EFC314C5D394491DB8085AF13B,SHA256=9A0C2A71F8215513C7DB7DBB8CEE4FE6323F0B311397454AEABE807C5601AA7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.006{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A6-60F5-0C00-00000000E501}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.577{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.213{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B5D4AD4C3FFA038B47251ABC40D25C,SHA256=AD1D6AC8FA90FA4860E82703D005BD6DE482617B02F1935A5127F8F9C36C19B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.114{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0B177F830468587EE90570EEF36DD5E6,SHA256=0D1104D44BD0628B3E4F9B4504C786EE8AD92D96C22AE4FC7D841B24B05ABB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:16.910{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.043{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:16.246{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B234053DA7006CB6F9B1510DBE12ED7C,SHA256=C728E37629B129385C33032EE39CF092C12E4DED88B922B6462B28BCF277D5D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:14.982{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:16.098{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A28B83865139A5C6AA46F2E7D90163,SHA256=22217894CC3EA93C219DE6380AF09C25E6446B4F55573448DEF1D509122F2D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:16.161{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75CB526037DBB9BEDA2F7F7DA5BC050D,SHA256=F9BC1A547E8FD806FEC79BD443D97EC7ACB2CD839614521785DB26242E35C12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:17.530{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:17.277{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A7A4FF36F33389C19C73F75EF815CB,SHA256=251BC89A3F017DE86FD11C8490E4C1C6E74DF301F05EA3704219AC1027F7E528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:17.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33A3895DB1DC0228B363B765ED28F5D,SHA256=FD5A186A1FF3468D0F6797DBAA9994EE622063C3898D6E2C1C8046B669CA2623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:17.192{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5634B54598AD3F5D246DA0342A63D2CF,SHA256=12E0D33981A7DD1D7D825CEDBB6A8CF16D1F80FC5C02571BE44BB6712B8D57F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:18.346{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8175B40E10CC79BFDB1915339CF0FEEE,SHA256=508FE458C87F3920DDCA1487D442843308896F601F5B205E626488722C7C0998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:18.255{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B607AE9C2AD88F3804FE94CCEA0E7C7,SHA256=F66F628774BC189C4B2BC94302DFF4F4464FD60886F607DF7518B88EC82B5065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:18.215{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D1B21C0B022059ABE925F31B8EDEC99,SHA256=E31CFB81484B159853C5DF28E29051CB004BF8D6D3B76CA73E1120F35F333834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:18.194{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:19.594{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:19.362{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289FFE16D7B677770DCB223890691910,SHA256=9AAA93B4362986A417D9973C18EFE4109C07E82746760A59C1834057B386F7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:19.270{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC21ED03552C7313F0C5E47BB32D3E58,SHA256=918739D6ADEB54EEE74B2154E77FEEE2D8CBBBC5BE9AB98EBB8289A7A560A7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:19.278{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CE93355ABC3360C89972AF61922FF520,SHA256=019C32D75935F67B4E03C2BF79E8D631F6AB2006902E71070941B3A6FD9BA27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:20.942{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9C072C0347131C73DAEB90472C32B185,SHA256=76059EB2B38AEF9F1843FFB563CCBE1F7EDFB610E2361E663D2BCA956C125319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:20.270{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F24D1525F31C360027B9C8FF1C5CEA,SHA256=954487A593755109FBF42BF12EE0CE21F85C256B214007CA5E2109C9C4538D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.377{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3230B03EE210769D482DFE9F895E9F,SHA256=F9A7F0F94A7E2926914D7D2165ACF0B511B17DE5AC1AB2506AE1C66D3EAEA78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.330{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.293{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=451E09DD6622F46A5BCCB8AC2B44DFBD,SHA256=E325E94CE24B8D7012D96EB16B2BE85566C634B20A5ADBBE78E45F03197273BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:20.138{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:21.489{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1154AA5143A812416D4D8E16ED453A,SHA256=A0C5EEFD1D4F8E0AFE5D8BDC95C91702462AF9F197A1AB0438BE9EF5B6795C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:21.411{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA176A967094954833549E40EA249999,SHA256=4374259552DB2161FD724EC0744413D2C23D3791B7AF71B61E53E56AAAF08CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:21.333{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:21.308{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2997C79D8703599795632836E3B26E10,SHA256=839716D92398FBFB400BBDCACA0AA1308A25F760784ED4F9ACD4FD9E946D819F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:21.045{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:22.721{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC08952DEB8C9DB17741F1A24D6327CB,SHA256=8A9CC8FF4B8324A613F31D2509A5BD8807DBA7291F9C3940C02989568401ACED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:22.444{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950AB9E64A181967015493292F86C7F0,SHA256=CD7A964220E8938FC27DD2F3AD203A3BF840387717C00B8ECE55264374DEF634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:22.428{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:22.313{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=92900E9FF68D401E0CE06C4AE422D890,SHA256=625A4E5D68EF87A040B9226A99FD7405B5C5B784285E46829792955F4F1B97C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:23.877{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF442B63F1E4C446CDB99336CC29D313,SHA256=6506E6F568B3BC78A311A55936814C81571873387606DA9AA465DD9E09BA332F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.811{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.978{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.458{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10804607FCD72E3812EA29DBD6D5635F,SHA256=4624BC903C4ABCB8976F2E85727CA8636DDA5BE6CFDC5363CB75A31F98CCE448,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:21.201{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.358{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1EB19FCF657AC68F2E009D2FFB4FE14A,SHA256=27DE1C7E77B356F6D002E260A79889043BF640993FE9044D28F222375B3549E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.112{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:24.705{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FBED037E4C3ECAE6D84DA2A161FA8B13,SHA256=5C8A24F44BA289C019BE6765541565A38C3C9718B1E4268478C90B4E4888D562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:24.573{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7555FDEDDF8BB9431D9D4208AB9259,SHA256=AE037031E472E0C5BF70C3C95ACF256D14FCA5715A57B5A2EF086DD815EA083A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:24.411{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B9D5D779B19629B3EA00F3F7A5F498B,SHA256=8F07E2D0B59479190CB206712F2330E00FAB0A03D5D02F7CDB9A251358C50A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.957{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.607{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471BCEA6F9A26BF174FFAFAD066A24CB,SHA256=A6BACEFB00FFB0E1A90C788BB740AB6FB856D1486852455624BF5D56D7D1E55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:25.111{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67109107403A31DA3C5F01C1D753D6F1,SHA256=1782F805E1E0899F70C42F175CCCCB7C2DCC3707D55E9E72D79A45D87C51E3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.488{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A13CA3FAB0CD93DC69FA17DFC1C8DFBA,SHA256=7E7FCCA935C4D8A4653790F1061D99FA6CCE8BC906EBFF73CF2AF57FEA3CAAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.210{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.706{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.626{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F64D870B24593844BE4D0DB56DFAD73,SHA256=0195024C827FEDCA3B3C7ADC62978871B791471F7A200B5CA4D66C9D8AB47B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:26.346{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01425AA7143C66AA0A64B8D378F868E,SHA256=5725676EC8BA42AA48619C3EBFC2F18875D25C74E4FEB98BAFF05DE2F0036A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.510{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FA251C746CFA027D9C29FD9D050BFB74,SHA256=EF16033AA91E67F30741919BBDB15469BC9D34A3BFB4F6476F1E39D6A9DBB090,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.091{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:27.656{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8D87A82F47192C8F1D2986ECD90D51,SHA256=FB546A9A30DE8A820FA166C935AB55C25815937E4BDD67922A7E68DF2769A9CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:26.042{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:27.474{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0B579DA8C3C808F867011FE0257209,SHA256=321B097AF1B37CF094BE9F950F2736356587867F24E9FB22C40CE630C71BA29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:27.556{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EBF4A9EC1BAA147B788541988309FD20,SHA256=9A20EEFF9669507271D2EDBA61FFB47CDA389D7590160C78B742963D10DCD3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:28.672{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE25ACF91AA4D942956A10A4BF28BEFC,SHA256=071132A1266983390629A74D10E667B5476880B018BC6981DD84D4EFD2D45D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:28.488{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7829D9E2C422FCA86C77F438F24337,SHA256=FE50A4305FC24B13B0F549DDD9D38F3A16852A0FAB756B80FC31AF5D79E5C48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:28.610{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AB76FD7F435B8127BE6F18F443A5C773,SHA256=8F6F21475289494018FF29DD893E3CC6761194E9648011E70ECED188D272AFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:28.325{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:29.722{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6591F90F055C87389EEEDD2EF85FA44,SHA256=D627691D57515F9E48F5FBCE68E7E834EE56A4DEE9BBA3F663F65643A5AB809C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.771{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.707{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AC8F72AD8EB00E50EED5255E510E7A,SHA256=CF7F40B94D12932F1EB1A550756EBBC2CE7364C3912495EA6484F30A44A9D894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.656{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3D2D0140026E119DDE60680199612748,SHA256=1C9ADADBF7DC1212C6B0784E85BA7294A0ADBA8797B4DD52513F7B0D25639505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.025{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:30.956{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9359C226797499C56C6358D0209CBAF3,SHA256=4EA57B21E07DD684666CDD018F4C6DCE8F65E132991266908E54C3435AC339F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:30.725{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20F1B002A9DF2F46F4092FF15EF7F6C,SHA256=C2314CDA0BFFF665E425C9349577ECCBEBEDDBE578301C50E23BB488DBDF108E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:30.686{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=535FCBDDAA48F028CA68A3E170F768E4,SHA256=E233D6E71F1CFC606032AB6F1A62275841ABE8A50950CA5DF571F65D33E82D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:31.739{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47197B31321305C53F7C51531A9CBF12,SHA256=31A55A57584B28F4BE7FF86E744DE7FB70BEE0BE676589A030D2B67A8D4D6360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:31.708{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7E9C85F98CE6534D2E919C28F900E8C0,SHA256=D925680A5AA59D37583CF8D8FA98E5DF969C6C6753AA97FD55F48633A651300D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:32.754{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB9C57635F10AE01458C7CA6BF9EC8A,SHA256=89A7EC91FB124DF35BF1BA0563D04C1BFC2BDCF7242AC03C27DA767892C4AEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:32.754{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FDEDF7474F66BC50AE292F86FFB3F0C,SHA256=C84054BEB1625F360436F419FD956F819CFCA5DBEC0861882BE7383FAF984353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:32.191{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC8E36B66B730ADCF53D2748422FDB8,SHA256=6F9A36AA24543A30B3C86CDC23C2100E7BB8EF3865F071A6EE0FB31A20104340,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:32.019{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:33.803{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9FF15C3F567336DF277C477F271FBA,SHA256=AC21C61E1E917A9D38B7D368C18586A0100B00A9FE95662C9F70BE64F897FA3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:32.027{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:33.425{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4E786B51ED88A9C1204A2208A1F1BF,SHA256=7A3BFD04C0DE53F81C47A3619BB0CEADE67424EC66306B8DCEEAB4F56775873B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:33.785{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B6139B04AAB221676BABC20669770191,SHA256=57AE17A5470BE70D8414F6C19E199C537986E1A3E8CF4891E62047BE9B87B27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.853{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC0FE5E06E772E0FF0DEBAFBCA6A416,SHA256=E175835E89673C27F244B4F67C11958C0277DBD3BEB81CEDF1AC09FF65802B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:34.441{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E111C41E9D972F2369F6A2161D77FB,SHA256=402D66C2C28B11869E76DFFAED3558012049B0B58AF234289BAE76BC2F5B7A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.806{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D32CFD75BF2067193CA9E1E546AA62A2,SHA256=9F81E7F3274763550DA7796F87774A015152C5319A95CE7111BC03D6DBFA9A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.105{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A945558D48D5900377263E4EF12A5E,SHA256=B69FE9CD6399F618721EE32790425B9FB5AE57883F6C68CFCF90AEC4DB400D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.104{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E773180269C5586E15906BABE9D07B79,SHA256=09F4A0FDF5E5551EB1D5D3EA64C1C15167D148319A5B11AE5BF836EDB2F44D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:35.904{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0D7B2CA737E1BD40155DFC92B3BDB28A,SHA256=22BEBF70D5C6E85C22D5D802341A5854B282377F9A769C8C78127982A04C7466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:35.867{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE1766C87C842498E570B752BF04E16,SHA256=2EA2E49851A3D48C56365FDA371B18C0D54D9FAD055D84FA616EA82433E281CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:35.456{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B40BC613C8BB905EBC90174741D89C,SHA256=0BABB4A540CB77BAB3D8BC44A7003C21D74D1F0A63AC766B2C643A4B5CA17678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:36.691{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E7503A1D02F18072560CAFFD313BB3,SHA256=128210FA96E98C51258C364BCE37A9CD85736A993BFDD62D2B5075D0E48C66A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:36.935{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15E313E54B75EF273E36F809938ADB42,SHA256=FD31A6926679B6D0ACED6C011C87AFC331695D959117788985686C65D2E2B0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:36.882{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94831D416A6EE2AA51554C470F410A8,SHA256=14845F0658ECE816319D0FCA3D90316B65EFE6315AF8003C2ED2F895EBBE5283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:37.925{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50C95F822F1B6FD2C1B7481EEE0655,SHA256=F5E43C1CEA84F41E750D34C2DCF1EA66677F110110B8402EBA23DC6AD6847B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:37.965{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=539C10A2588123CFD9F653AB431383D9,SHA256=E3D0AE5D9E3F57EFC25245B86CA0FC02F37B642539BEA1066B0413FE54B1541C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:37.899{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCB5109F6D8DD93B7843F07A5F6C46F,SHA256=EAB0855329D414D3117085918FA32F572EA0E66C8B9D4736854C8EF69307CDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:38.980{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B9CB5BFDB30279C83BA0985D57C1FA82,SHA256=529ADA819929C317887C628D55D81B0CEAF2D4E863017500519D9E41A9282E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:38.933{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35FC8671947CCC9A32145E92823BAE4,SHA256=840BDCCB28BDD39EA41767384119BA1D86A0EBCA6ACDE24BC7FDA0E98F8AC700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:39.963{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A300555EC13BC758A1F14E8BEE0AA0,SHA256=61840939E066435C184B44D6CE276D05ABBD9F9048C19B1A06DB18FDD7C39CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:39.500{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\aborted-session-pingMD5=6F38A9E759E9A1AB5702D7A765C1A1FC,SHA256=5D7BECDD3478ED24B8263241100C22A7A573FF572A1D6D1DDF92FE55A663425A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:37.130{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:39.144{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD54925F2FAD8B7C221CEF13EC3DAD67,SHA256=B5C0D490A5A28DBA3EC7F4A3436C5F3C34CB180B253A5A97264AD09E242E40F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.999{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C244B89D72D0A9D29A549D4C5B183888,SHA256=9C1C28A7FFE2D8838C67297BC22C17F913098440E85A138DE58F9B797A7B8CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.363{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.363{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.047{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2E3EEE11A92CE5FC7385D87FE3BC3666,SHA256=7B7A53542FD268EFB524853CF806B93AED23772D59142F2AF80F61215F51A556,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:37.980{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:40.144{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3064FA3EC781A02F5DBB4C85ECA7B6A7,SHA256=C5A2D89F8BC9BAE82F6700B51F0CE90A98DD50BC8C7BC94F0E0677172B85D9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:41.175{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9F63F2D79AE455F468F59CDD68FA6B,SHA256=20362F5B3E845284930491628F3B3D8340E16BB49DFE69D91F7DD6B3195F28C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.894{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.079{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B41C8FEAFD13B9B9666B923616B9FF7,SHA256=0DB9A0258FEC1A125875D60AEEC4880170692F28D68A0B746ABEFE4A0C6372B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:42.189{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F18C7E927EAD1781B20450AE80B2130,SHA256=9053BFD56B0B6B2AD3A97AC9CFBB8DFFC67E66D7B74E785D30E33EB743BA87C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:42.099{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DB3944DA73A339856990FA171CEEE7ED,SHA256=B400AD4C19ADAE5186F766826C01A57806F724F5884A7642CD78AE66BABB321B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:42.015{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27C67012A047AD011DB83B182D592F0,SHA256=8CF593562E5B7290E66302BC5B5AC391A490641E5FA95C5C14EE3E7039E62164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:43.407{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF91B0BC3F5686D56ABDF5187982087,SHA256=40167A13067257791626B4A82D4D882EBAC555F924FB5CE6D0AF7C6568D3F8A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.729{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000056860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.729{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.729{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF7bffa7.TMPMD5=94EEA79D9A0975F30553974C8581CE7A,SHA256=AFE916DCF97485612B2C6F9FD400B0B135E5F27E2BC7595DBB1C6A60195E967C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.296{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65085-false169.254.169.254-80http 354300x800000000000000056857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.199{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65084-false169.254.169.254-80http 354300x800000000000000056856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.150{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65083-false169.254.169.254-80http 354300x800000000000000056855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.149{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65082-false169.254.169.254-80http 23542300x800000000000000056854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.130{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CC0DC1F68FE4D0329CCB649C79FBB033,SHA256=1A39FF81F9DC2C3A72F8219197FC1071371F49383FDFEB7DCDACC15A66C43182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.045{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FF565418819FB07270631DB076C55F,SHA256=9E094952AEB82096368CEBAC6108476331D11981767362C790F4B714EEEADE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:44.564{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A80964E02B21D5B438098D91E2B52B1,SHA256=F2E7F41F99F8BB296B749A8BCF50F9D4CA8073458E2FD7716018B2A5F40B74C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.692{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.692{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.144{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75AA3CC96BF54090EB2835457D3BADF8,SHA256=99278946B309D08A8A208B55702DA96F8C15504EF2A5A70291D0180ED4408F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.075{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF1E9A9992D197AD630CA78C6CA28AB,SHA256=A507A416C45DD4A9DF19EA95941EDDEC2260938A4DA62F5C88DBFEDA5BD21DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:45.798{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1348A32EFC211D0796170E5CC09A2EB1,SHA256=C84970FDB1443683E16D649F5DE331307F8F3B0103C42B26FF10BBB235807F8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.025{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:45.174{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=21E57F56416EE064721F374E6F2D7FD3,SHA256=5FAB88FB8B8A097A892FBE930EDFEE770384CC2736057C00712AF38F147DEF2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:45.143{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55FD-60F5-AE08-00000000E501}6676C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29fa4f7|C:\Program Files\Mozilla Firefox\xul.dll+da83b9|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:45.094{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FEBB5DD3FA0B6BB4A567E74FAA5E96,SHA256=CCA5B3F4F22C75BAE25CB4322D68080A8C63E468B5A67242CF34FD19ABBD0F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:43.931{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:46.210{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DDB6D832C20C89D4C012C1CC54F5927C,SHA256=8FF9A5712C5F28A6D2D63CC6E4C6AE5FAC4393535E2D2D05ABA8079AC66E01D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:46.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA3F025DA3AFE7590CA80A2804077E,SHA256=137D5272801C7FE109B33AF9C6B400D3C96DDDE356EB545F1C960F2CE450710E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:47.032{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B5B67D99E7C95872F348A2E4870CFC,SHA256=C5EA060F64C04D36E80DB6AB50A086DB4C4B9691B1DCC0DC7F53C26B379AE4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:47.258{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B11F068AC467C088A5764FD521455D5A,SHA256=A39FC7D7D9936122EE988526745857C50762BAF78F4680B04D7F65CCD49BCC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:47.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862F9B67FD618F6338A624AA3AC3F9A0,SHA256=9D043630004BF82BF2A4FD91CC7CA429ECF12E11E589CAF27B8528A5C11A83EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:48.251{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCB62DF1197CE06AF8A53EA90F7485D,SHA256=FC877BCD00490F287967A1F7AF0C102E29E5B22729CB12D8F11E9A0E3F8EB21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:48.257{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=10FA9B0A2CA6FA3D01E9D0E980D08F46,SHA256=49209C4EE7519107088620A31C430E93B150929F7611BB9B3E541C239EF67DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:48.141{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B17FC4F946E0166C6DB4749F550507C,SHA256=BEC7753B333D76234AA890AA422A807D03AF35CD49FCC90725F7F75F7C8F2D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:49.360{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54612E7D2BF667F498176C8BB31E350C,SHA256=35AA77E86A1C201AA9D095E9F0F13D228D286D667F70528FB44C29B2DC2CDC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:48.074{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:49.294{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=60A6AFECE6B1EE80DF0437B99162A670,SHA256=723A81763BF583A2F364CC61C41AEB1CD647B6EB9F48FAF6F9F28AA4B67E54AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:49.172{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79FE3691C2A5B3A89965E7CF695EE8C,SHA256=B6DA696CDD2FF86AF892A9C8DD6AA6E071F480C7A9E814CACA40264B5E87C760,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:48.947{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:50.595{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1A57CA0C6F236BF39512DD21E0824F,SHA256=D83BE95922E35743703A437BC802833780E4CB2334F126D4426ED709E31FA6C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.642{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B323DB0368CF07F05AE698A196F646C7,SHA256=8BED2B63D765AE16330BE986AEABF0391D1495B0FE5F26ECA1941D6087B1909E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.189{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828C6721B728B27209F62C23569992C8,SHA256=4E1EF2B4DAC1E727B9E436737D00D20258D9ECE7F3BB8CD327330C290E8B7A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:51.829{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42497CF5FC856C007C5C851A05608E4,SHA256=969985E625251195D3386D25806C4F4CD88446D75F919C85D00E14B2024CC71B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.932{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.647{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=677ED0AF838D46294BB19BC9BD0FF91B,SHA256=A174A10E68B5FFFE5AAAA386391003AB189CE1AC67B11FAF87907E76564CFB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.647{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A945558D48D5900377263E4EF12A5E,SHA256=B69FE9CD6399F618721EE32790425B9FB5AE57883F6C68CFCF90AEC4DB400D95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.477{43EB4363-5767-60F5-0B09-00000000E501}77287748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.354{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F5AC51143CA8B1E9CC9904BE0EE6442,SHA256=8DAE33DB7FE79E6AB91B126DBB4DAEDF336BCE6AE3E515760670AD37D0CBB1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.256{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.207{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD23F24C15FC353C3D12DA3FD58B8140,SHA256=EBE4E810EC7F22F80C80C1A266861BEAB43F4B427F3466C00FFC38FF8189D2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:52.939{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7235E91AFEA7318805636453652A90B,SHA256=316982D6F1B88074C7602A05BBD20A7E65571A314B70E3475BC84560F9D1EC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:52.946{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=677ED0AF838D46294BB19BC9BD0FF91B,SHA256=A174A10E68B5FFFE5AAAA386391003AB189CE1AC67B11FAF87907E76564CFB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:52.362{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C02EDFF2EDBC14AC5BB6E0BD5C1532BC,SHA256=64863CF515EB7B939E83877B26B5434D25E512F4933D0AA114B1A1D15130B9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:52.216{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116B53E2DE1F95BF66BCE9F6B083908C,SHA256=577665A5D960C0DE0599A8596F189038A4E2410EB38F2FCD55A80D22979E0308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.461{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DAB16F453BDEF59F45159DF31045A418,SHA256=485CB178404C493AFB27F91902ECAC855107A9ABDFCC839CA3E9EA24476A4F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.230{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0CC9B26A0DEF36325B257B9B603893,SHA256=C90F5A4303E03DF98CA1C2136E7754722D049F4BF162A10674C6DF6511E83E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:54.189{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2F1700A8BA9561147E784D5B70187C,SHA256=746D9E861052439B408113BC7A6F177DCB2D3DFDA60851BEDC2783C9F9392ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.927{43EB4363-576A-60F5-0E09-00000000E501}78647896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.759{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.744{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.712{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68AC3BB7F3CEF85F9EEB115D6BFF09C7,SHA256=FF25647054A86237F0BB6A763EDB560EAB31B377471A66784C03F7C71256EFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.544{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CE1DE1BE2D8470D2AA495C8701154B61,SHA256=E26D857F49EA3AD27C8E85A8CF78F3F207F8DDC0BA51460CCD102F22F30CF169,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.381{43EB4363-576A-60F5-0D09-00000000E501}52767848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.244{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4137018B5C4428487B010CFCD44F559,SHA256=B063AB9A62A9F0546EC78BEB9C2E3C3511E40CB49C867EB654D82F49ED309DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.229{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.160{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.160{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.160{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:54.103{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.689{53AF6CEB-576B-60F5-FB05-00000000E601}9521644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.533{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.345{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDB1C9E0326BF62DAADC958A058205E,SHA256=AB263949E1775E12A20DE6E1D6865D9801BCC4C5B0DA100113FB21C401B42E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:55.758{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62CC8FC769A9EC8D21E01457BA99F37,SHA256=0BF1D6840554F4D0085207F66B5954C9651DA158F39D10915C9E49C06E9F7AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:55.558{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F88E7C80FCE83260325D1F336B08BD79,SHA256=3B14E2AAC2FCE812395BA45914E190A12AAD9137729063D5C7C1683954553F57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.594{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.593{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000056939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:55.258{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D68CD19F05952FB00B86CE91E61749,SHA256=308280396CDAC8BD2CC3F39B8A81DE9470EF7523E5A6FEF1FFCA12C1591EC6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.877{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.673{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422A4976F367121CD500E1BBD0DBD5C8,SHA256=EB432055217BE0C7D535D309ED6A627BBF2414DDF38F5AA137D0CC59708302E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.794{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.742{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.557{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=89DD80096EB40546F4779C983DFB53A1,SHA256=1FCB914E189C473D3CF370FA111B8E6735C16477136B789C1B1506F766A43BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.441{43EB4363-576C-60F5-0F09-00000000E501}13848092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000056953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.030{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.279{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DAB33FF5EB7A24945692EE266020D9,SHA256=C124624087EB674BCD02423FD0E03FA6703A7F423CE9144EFF623B65204D4509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.548{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B183BCC0E7BE75763EE55F3C46415F,SHA256=C30E979F336577E8A96ABEE94B612E2D56BF41E12FAC7A1A65C401563F87C21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.548{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7D39A466F38CF7B5798A8F320AAAC02,SHA256=B2E8EDDB86C3F4AD3D01713355862A20AE73AE00C262E4E6713A427AE6110843,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.205{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.986{53AF6CEB-576D-60F5-FE05-00000000E601}1723468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.892{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B183BCC0E7BE75763EE55F3C46415F,SHA256=C30E979F336577E8A96ABEE94B612E2D56BF41E12FAC7A1A65C401563F87C21F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.815{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.689{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46CE8F9F7283A40DDF22D1DCC1E9746,SHA256=174738A2BDA83AE91E49EB717BF046E35903523EEDACE697EC6EBC68078A2F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.880{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=8F66E0C9D6D3E9AAD591DFCFC9A664DD,SHA256=462747596B27B0C7515DCD9A8AB966271A13C66D23D66616ECE74E09015C9A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.880{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=3D958BBA57E8A3EF208FB5BC8AE14C96,SHA256=EAB8538049D347BFB1616CA4EC0DDD1D852EA00AD8DF4D67C0FFCFAC7EB398EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.880{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=E0B9F91A72803325EB91ADCB93E92F74,SHA256=3991456CEA534733BF526F93ADE863A5041BD8A97FB5DCB784D11448CF7F8C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.879{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=A7DD20D14625E95D4CCA9AFFD0012F07,SHA256=1CA07C428E910F8A6C6BFF7E1EA66ED3666E28B5E7548CAEA91EED58C11037E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.877{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=99B7CEB4F43533359ED6460C4115F6BC,SHA256=9CC2859A62083DA3AB2EBA619D6FF864AF0CEA3EBA81F2C16705922732E4EFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.876{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=E5009320B373ED5F538993C4BA69F81B,SHA256=562E3C8DFB1CF97D34A3E7A9AA5C04EBF4AB67A99A2518F539581706BD0F2A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.628{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=893B42289352DA675F1A8F1F10264150,SHA256=2A8C408206637349DBA9732808E8390A86527E3674117749EC59FA0BEB6924C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.326{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCEADF41FBEE227AB39E7184D7B8CF4,SHA256=BD254B72BB12ABBC7A11383E1B624531F40E1DE88DEC46C3FE89D4DC6ADBFDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.257{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3A8C4648FF3AF5782C109ED7B739A5,SHA256=22E6FCD5CC47920406B6AE84536D4E693ED381E6D379D4AACA88567320345502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.986{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.923{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAA980813008E74BCE94D29301CBA64,SHA256=37BE71E31E237344E95930488CDE4B7F47CFA4DF2BCAC22535FCAF616ED0E389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:58.780{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67DDD3337546324F3CC761FEF68C54F1,SHA256=BB42398EA5C3602647FC81042B0F7AAD1AA81D7BFE1511C4F5683189745A4EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:58.327{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F235A08B3C0B38265CDDFC43C20E274F,SHA256=B0EFDC9560CD19D4A8F7A33E00B9F0A2FF2A3165B6FD9D94B949233F2B6616FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:59.859{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6159CA2783EE0E91A65587A0A145134B,SHA256=3CD26367B1BE5DA4DAB4CB1A4C63CDC474535B457ADC6C45B898D0B65A02F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:59.342{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A93492860C34444F8443BA11F9241,SHA256=70D5027DE3AE04134F35D158444D8706F762FFB61E8F2D346746EAE104EEFD8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.829{53AF6CEB-576F-60F5-0006-00000000E601}27004040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.658{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.157{53AF6CEB-576E-60F5-FF05-00000000E601}33362580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:00.204{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AAD3DD9BE8D8A5B893115852F12916,SHA256=C64DD1E1979924014835FBB6B428AA63AAA679FCCD11FB11D0849A2752B0B128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:00.878{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=13BC6AB461F99BDB7BC0F857A9423784,SHA256=1FDFDED087F3204D496CB0E784956BDCE0BBD94F58A912789B9E90EDA9AE583F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:59.128{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:00.370{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22449D03BF79D7814D5A7F75A9B0A593,SHA256=769CDE9A30B4A57DD305F00E03A579A32076EAEA90641412978926F78D510DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:00.001{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CAF6FC065D7FAD511C0184B141F701A,SHA256=201848E9AB940E46AEB95362D84FF1E497504B946415BD32BD9A9B52F62A4F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:01.893{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=09955489255185AD8229976EC026A8EB,SHA256=AF39387BD981C48C6A0099DD91F727EC0D4F611D371BF531FFB840A18DB3E7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:01.393{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC9CDFAC5D4D111D815251995F330CC,SHA256=D9B8A7C04F93C7B7E562A313A01C3DD2EF6C9B7A6259B182194B575C7A89B6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE47B21D055968ADEABF39CB1CEBAEC,SHA256=F8F586899BE7BEA7563147197DDA040D05D32A63086E1ACA71400974D7E7CA17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:02.490{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A052BC1E620A0E045A4D85EEBE58AF6A,SHA256=35EA03CD70CDB1FB3E36E521B448E6AD0432EA786E38040959EC354F95CE0284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:02.458{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF091FD859D739D17822A68782CE2B3,SHA256=2FF2869B5B289699A65B9BC97988A7BA125B8256C30153AD3ABA61A508895612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:02.955{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A673726273CDEB3A8CB443CF58109020,SHA256=0D26ED2A735B4186BF94DE095AF119E2F4A4F7BB4F3DDD6223D0614D748CD8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:02.424{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2567E28493EF032EA04EF84C6D676B0F,SHA256=7EDC483F45531CBA2F106FA525A253A468D81886E859D62D4C9F388F219914F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.994{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:03.693{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98889F6DB7EDCE9D5F6A90EF099DC57,SHA256=30AFF4678448D825FB0F98674EB192C79C82DEC502326B0E47F66BF6D076B36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF904461561DC7C92B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF5D4B81298225E8F4.TMPMD5=98E9EC71D6A17A41EC02E5E32CAE4C7A,SHA256=69F7C2A9F637FF9B85C7FD2DBE1B65234C63E89AD102466E9587EA9A1EC74D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSICAC6.tmpMD5=C447593BC94FFE3393BA263A452FD61B,SHA256=4AEF26774A6D58BFC9A1DBFD0C8DC1A13A4F8A8DCC35F63CEF0C0D2D214CA651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.938{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=35209366D1503DA6DE4BBDA398891B02,SHA256=10AA48C9742C8B31A15E9B71AFF903897A8EDE6586AD9B5942FA3F6146D7BDA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CCA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_14.rslcMD5=78FC2616D762A72323B1763C00C58383,SHA256=53DE3AFE5202DFA41CA7115EF6C9960F0A0BDE47F9D80F2AD9B25E22A77C5EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CC9.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_12.rslcMD5=EB4F1502CEAB0BF3B61B187902B9D794,SHA256=FD36225F8C61F3BA7129A7ABA0BC73AA3712D7230A9027D6B8992A70331D6ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CC8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_13.rslcMD5=290F9D5685ED26C271A73883938AB4BE,SHA256=4980B18902FDBE76860340ACDF04424D3752D28AC2936F1C2109078629F47764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_11.rslcMD5=D96F7EA7433252C03B01DCF24EAD49DF,SHA256=D5F7DABF77B6B1A02C6D12305DD568593A13231CF2C287264813F3AB5330E04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_10.rslcMD5=F1DA9FD3ACE2E51C19E8D04C531EF0F1,SHA256=A92021A5453B393D6A52E0ED1321EEFCEB9F167B5489766C52F9DEDC83AE5907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4668F8D99CFB8EA35620C492305CA7C1,SHA256=88EE9D470CD0751E147B339E8E1D1C4CA6BDBC168BCD83E3DA3250CB7BB3EF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_9.rslcMD5=9789ACAFA2E1CD4A36C302DF216F78DB,SHA256=F73403196E5B3601FA212CB783114E086BF2E9A4663C052D439ED75D4158BC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_6.rslcMD5=F06147BFCFF9DE987FE8827AFE4C1D39,SHA256=54D31BA0BD67235AA34EB1DCF18B863B3F74D1B6380C2D04660AAE2CDE35E663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_8.rslcMD5=66FA81BF84EB89921F0D1A733DF3F41B,SHA256=67C43D933D1689CD0E6AB17C07D8EA14B966B269048C20440FAEB14F861F85FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_7.rslcMD5=60A87774E3F8F882E78F5D1FF5CF5C64,SHA256=FF452B36FD530F7069528526493C141FB3E6EDEA6559DE2CEB4DBBDBA36D731B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_5.rslcMD5=A9413B4737F03C8A01F3B845A089D509,SHA256=D752BC0C98F09F8D94E25DD0853FBEB26612108AE1FBFB95BBF399090348C015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_4.rslcMD5=ECBE0ED9E6EC48ADB4D687413A827E32,SHA256=96FDAF61A684C7CD0051A08C04073B3D76178D34EFBDF64887FBB83D60F2D346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4C90.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_2.rslcMD5=A101693CB6A0CC5BCB1E673CEFFA04F9,SHA256=90313517953B8361EF60D2E4BF2C137DCD3649B2E717CB90D6048EE8455933A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4C8F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_3.rslcMD5=94C8E916AD6E6687A8C3A8B518D397F1,SHA256=CA803AECD559E93C5F871E2D8D427B6F522E2F6195D216C2C20CD7731D8CEA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4C8E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_1.rslcMD5=66A4F769C8DA87F789D2F0E2A11F0E32,SHA256=A2EF12C1C39F56FDA6005F3142A53D0B991466B29454A1A840F116B99A91A125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:04.786{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF23D40C88A7986A0CB81105C1C257F,SHA256=27998DAF6C651D2651A826C615744D81D1B418BF10FB3634E57A3460CF58C56F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.990{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.990{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.965{43EB4363-5774-60F5-2909-00000000E501}76567964C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.955{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2909-00000000E501}7656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.950{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.949{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.944{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D52DCB5268BA0E1B2DD715E32C6393C,SHA256=57A44A0EB262BAEBBAEDBB5ACADD621B52962EE016378360051D4EDA68E5983F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.938{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.938{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.906{43EB4363-5774-60F5-2709-00000000E501}72008184C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.897{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2709-00000000E501}7200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.886{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.886{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.876{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.875{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.855{43EB4363-5774-60F5-2509-00000000E501}62368164C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.847{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2509-00000000E501}6236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.843{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.842{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.831{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.831{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.808{43EB4363-5774-60F5-2309-00000000E501}62126060C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.795{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2309-00000000E501}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.788{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.787{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.776{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.776{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.648{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE2967EB044D44E052147B25DABA0D8,SHA256=A5C894FCC7A89B9AD0D51FAA132EAA484D9541EE935C7042F73234BE192B6DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.645{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.615{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CA244E1A5BA730F36039E0CCEEE931C6,SHA256=2A1482115E5B3108432B7AD13B81B30FC008364ABEC61603062514AF9765C0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.613{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66E976F86FFD1321D9351F22C9ED20E,SHA256=EFD9BFE9E3967E93AB8BF985BFF40212765DE2F0E42444B46B19731A1BDEE8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.612{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D025BFAEA81082EE1BCCE4D672FAECDC,SHA256=28EE3C21A48BB94F9F02BF94436F751E1E3E7A80F1BB22BCD62D516C3172FBFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-5774-60F5-2109-00000000E501}72607104C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-5774-60F5-2009-00000000E501}67164680C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2009-00000000E501}6716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2109-00000000E501}7260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-5774-60F5-1309-00000000E501}73203364C:\Windows\system32\taskhostw.exe{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c01b0|UNKNOWN(00007FFD808215F2) 154100x800000000000000057070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.561{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:708C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=D2DDF021EE6A8A649FB58F6DD05EDED7,SHA256=AC1B312B5D048DAC81327CF083BDEF2966AA883208455490E73D6E34C932B7D9,IMPHASH=00000000000000000000000000000000{43EB4363-5774-60F5-1309-00000000E501}7320C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x800000000000000057069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-5774-60F5-1309-00000000E501}73207568C:\Windows\system32\taskhostw.exe{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c01b0|UNKNOWN(00007FFD808215F2) 154100x800000000000000057063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.558{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:872C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=196F531423F864F990B24F3D3AFA9AA1,SHA256=353C8C617C87A56F93C9914E219BE4E30A45A0DEA8D98BF34C6BD81A6A287916,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{43EB4363-5774-60F5-1309-00000000E501}7320C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x800000000000000057062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.438{43EB4363-5774-60F5-1D09-00000000E501}45764080C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.406{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1D09-00000000E501}4576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.387{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.386{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.369{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.369{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.338{43EB4363-5774-60F5-1B09-00000000E501}72204568C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.338{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1B09-00000000E501}7220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.322{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.322{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.306{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.306{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.291{43EB4363-5774-60F5-1909-00000000E501}75048172C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.286{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1909-00000000E501}7504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.269{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.269{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.253{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.253{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.238{43EB4363-5774-60F5-1709-00000000E501}1292360C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.222{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1709-00000000E501}1292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.222{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.222{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.191{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.191{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.154{43EB4363-5774-60F5-1509-00000000E501}74727496C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1509-00000000E501}7472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.122{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.122{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.107{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.107{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.053{43EB4363-5774-60F5-1209-00000000E501}72564612C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.038{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1209-00000000E501}7256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.038{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.038{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.022{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI4EE4.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 23542300x800000000000000057019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF70C4C1BD24C69D4B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6E793D12DC3C7E23.TMPMD5=98E9EC71D6A17A41EC02E5E32CAE4C7A,SHA256=69F7C2A9F637FF9B85C7FD2DBE1B65234C63E89AD102466E9587EA9A1EC74D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:05.927{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA889215D12D2979EF4CC831153DC94F,SHA256=BD1730E60DD89B8E1ED02121D08CE0ADC5613215803447035DA67B6D99DC1BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.988{43EB4363-5775-60F5-5909-00000000E501}76847772C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.988{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5909-00000000E501}7684C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000057262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.988{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9C8FFBCB6EBBC7B47BB33DCC97442B,SHA256=30224C69C8DADF52DC5F257BE08ED9A06EAFC3F2CF0478348663C6E0B40AC75E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.957{43EB4363-5775-60F5-5709-00000000E501}76367176C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.941{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5709-00000000E501}7636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.941{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.941{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.937{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.937{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-5775-60F5-5509-00000000E501}81005896C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5509-00000000E501}8100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.872{43EB4363-5775-60F5-5309-00000000E501}68446060C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5309-00000000E501}6844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.856{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.856{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.819{43EB4363-5775-60F5-5109-00000000E501}76204080C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.819{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5109-00000000E501}7620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.788{43EB4363-5775-60F5-4F09-00000000E501}36603860C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.772{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4F09-00000000E501}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.772{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.772{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.756{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.756{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.741{43EB4363-5775-60F5-4D09-00000000E501}73247216C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.741{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4D09-00000000E501}7324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.703{43EB4363-5775-60F5-4B09-00000000E501}72127484C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.688{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4B09-00000000E501}7212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.688{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.688{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.657{43EB4363-5775-60F5-4909-00000000E501}75007540C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.657{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4909-00000000E501}7500C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.619{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F2C6BA89A64A2A7197749276C7C2B6,SHA256=3369C16FE13E8504ACA7D541511E51C13049483D5BE7B30D32528AA3CDB311C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.619{43EB4363-5775-60F5-4709-00000000E501}74567304C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.604{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4709-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.604{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.604{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.572{43EB4363-5775-60F5-4509-00000000E501}74085216C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.572{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4509-00000000E501}7408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.539{43EB4363-5775-60F5-4309-00000000E501}45007300C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.519{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4309-00000000E501}4500C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.519{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.519{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.504{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.504{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.504{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646367E37BE536AAAB1C5F9498418D70,SHA256=EE7EDD4AA62832089EEC1BC270769ADB64324EA1A6602EE51101A8A631EF1445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.488{43EB4363-5775-60F5-4109-00000000E501}5041368C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.488{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4109-00000000E501}504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.457{43EB4363-5775-60F5-3F09-00000000E501}80368108C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.441{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3F09-00000000E501}8036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.441{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.441{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.439{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.439{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-5775-60F5-3D09-00000000E501}80568016C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3D09-00000000E501}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.388{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.388{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.373{43EB4363-5775-60F5-3B09-00000000E501}81887956C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.357{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3B09-00000000E501}8188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.357{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.357{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-5774-60F5-2109-00000000E501}72607104C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-5775-60F5-3809-00000000E501}78807976C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-5774-60F5-1E09-00000000E501}75847600C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(0000000004444853)|UNKNOWN(0000000004444504)|UNKNOWN(0000000004442103)|UNKNOWN(0000000004440F66)|UNKNOWN(0000000004440950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1234a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1862b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199457(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1bb98a(wow64) 10341000x800000000000000057159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3809-00000000E501}7880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-5775-60F5-3609-00000000E501}78567948C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3609-00000000E501}7856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.241{43EB4363-5775-60F5-3409-00000000E501}78327952C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.240{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3409-00000000E501}7832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.204{43EB4363-5775-60F5-3209-00000000E501}78607844C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.188{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3209-00000000E501}7860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.188{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.188{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.173{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90DE30E1DBE5B3BD88946CA3A688466,SHA256=01B703297829A785F90353BB0A89E35E9E315DCAC3E8F46B50054C277AD4CE1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.157{43EB4363-5775-60F5-3009-00000000E501}7284900C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.141{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3009-00000000E501}7284C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.132{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.131{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.110{43EB4363-5775-60F5-2E09-00000000E501}77287824C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.101{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2E09-00000000E501}7728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.095{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.094{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.069{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B2A8464BF1604055AD8E147244BDCB,SHA256=ABDDA3E7667576D7556646DD98AE3C0AE6F28512EFBB62CA9BA6C754632A48D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.067{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE33924733B5E0E22E692630F5CE51F9,SHA256=2AD710AA05B535A89C62787A47B584B3D85B15C679F31AE80C99F641D78F9012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.064{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.063{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.059{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.059{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.042{43EB4363-5774-60F5-2009-00000000E501}67164680C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.039{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.039{43EB4363-5774-60F5-1F09-00000000E501}61965588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFD80825A07) 10341000x800000000000000057116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.035{43EB4363-5775-60F5-2B09-00000000E501}76927700C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.027{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2B09-00000000E501}7692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.956{43EB4363-5776-60F5-7F09-00000000E501}32446952C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.956{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7F09-00000000E501}3244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.940{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.940{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.919{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.919{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.903{43EB4363-5776-60F5-7D09-00000000E501}72528180C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.903{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7D09-00000000E501}7252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-5776-60F5-7B09-00000000E501}72767480C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7B09-00000000E501}7276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.819{43EB4363-5776-60F5-7909-00000000E501}74927532C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.803{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7909-00000000E501}7492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.803{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.803{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.772{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.772{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.703{43EB4363-5776-60F5-7709-00000000E501}67127256C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.703{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7709-00000000E501}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x800000000000000057366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.533{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000057365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.688{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.688{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.688{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F36C0753A9C48A722A7872FBCBB641,SHA256=6B07C7AA099569692ED1DFB692CE05FB6BE2680BCFFA905F16E4F0757D7A0133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.672{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.672{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.641{43EB4363-5776-60F5-7509-00000000E501}81487408C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.641{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7509-00000000E501}8148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.619{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.619{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.604{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.604{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.572{43EB4363-5776-60F5-7309-00000000E501}8112104C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.572{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7309-00000000E501}8112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.540{43EB4363-5776-60F5-7109-00000000E501}80328076C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.519{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7109-00000000E501}8032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.519{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.519{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.504{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.504{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.488{43EB4363-5776-60F5-6F09-00000000E501}65568036C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.488{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6F09-00000000E501}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007c5875) 13241300x800000000000000057334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c82-0x9d7aa351) 13241300x800000000000000057333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8a-0xff3f0b51) 13241300x800000000000000057332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c93-0x61037351) 13241300x800000000000000057331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007c5875) 13241300x800000000000000057329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c82-0x9d75e6e0) 13241300x800000000000000057328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8a-0xff3a4ee0) 13241300x800000000000000057327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c93-0x60feb6e0) 10341000x800000000000000057326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.441{43EB4363-5776-60F5-6D09-00000000E501}80688056C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.439{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6D09-00000000E501}8068C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.419{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.419{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.404{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.404{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.373{43EB4363-5776-60F5-6B09-00000000E501}79728188C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.373{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6B09-00000000E501}7972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.357{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.357{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.338{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81D72ACD748199CCB16701A2FE00176,SHA256=CBB32FE45476ABDCE7E9B607C7D2922C13D6700721479FAB94D1CA8F51879F1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.320{43EB4363-5776-60F5-6909-00000000E501}80007880C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.320{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6909-00000000E501}8000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-5776-60F5-6709-00000000E501}78767144C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6709-00000000E501}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.241{43EB4363-5776-60F5-6509-00000000E501}79007180C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.220{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6509-00000000E501}7900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.220{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.220{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.204{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.204{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.188{43EB4363-5776-60F5-6309-00000000E501}11567896C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.188{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6309-00000000E501}1156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.157{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B2A8464BF1604055AD8E147244BDCB,SHA256=ABDDA3E7667576D7556646DD98AE3C0AE6F28512EFBB62CA9BA6C754632A48D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-5776-60F5-6109-00000000E501}78044904C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6109-00000000E501}7804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.120{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.120{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-5776-60F5-5F09-00000000E501}1304224C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5F09-00000000E501}1304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.089{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.089{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.073{43EB4363-5776-60F5-5D09-00000000E501}76925624C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.057{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5D09-00000000E501}7692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.057{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.057{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.042{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.042{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.038{43EB4363-5776-60F5-5B09-00000000E501}77966392C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.019{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5B09-00000000E501}7796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.019{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.019{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.004{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.004{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:06.013{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:07.146{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4BF21BD8C4A2E0BB7364DD5E58821F,SHA256=AD3A0C2A9FBD5899DAB1A0749B66367EF75AB9E6ADA17892264646A304F963A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.972{43EB4363-5777-60F5-A109-00000000E501}13682612C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.956{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-A109-00000000E501}1368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.956{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.956{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.940{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.940{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.919{43EB4363-5777-60F5-9F09-00000000E501}81167676C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9F09-00000000E501}8116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B7C692D238A825BB38E38D28B66866,SHA256=D8405B3AAFE446AD45FE7A5A333A2DA6EB8A9944389E64D9B168844DD72BD716,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.887{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.887{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.872{43EB4363-5777-60F5-9D09-00000000E501}79965224C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.872{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9D09-00000000E501}7996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.837{43EB4363-5777-60F5-9B09-00000000E501}80647972C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.819{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9B09-00000000E501}8064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.819{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.819{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.741{43EB4363-5777-60F5-9909-00000000E501}79808000C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000057472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.985{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000057471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.719{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9909-00000000E501}7980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.719{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.719{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.688{43EB4363-5777-60F5-9709-00000000E501}78567876C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.672{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9709-00000000E501}7856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.672{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.672{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.657{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.657{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.638{43EB4363-5777-60F5-9509-00000000E501}77607916C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.619{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9509-00000000E501}7760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.619{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.619{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.604{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.604{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.572{43EB4363-5777-60F5-9309-00000000E501}72887836C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.572{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9309-00000000E501}7288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.519{43EB4363-5777-60F5-9109-00000000E501}52767808C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.503{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9109-00000000E501}5276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.503{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.503{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.488{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.488{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.472{43EB4363-5777-60F5-8F09-00000000E501}7816224C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.457{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8F09-00000000E501}7816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.457{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.457{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.441{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.441{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.419{43EB4363-5777-60F5-8D09-00000000E501}43847692C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.404{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8D09-00000000E501}4384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.404{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.404{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.388{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.388{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.357{43EB4363-5777-60F5-8B09-00000000E501}76527796C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.341{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8B09-00000000E501}7652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.341{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.341{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.303{43EB4363-5777-60F5-8909-00000000E501}73087684C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B78654E2242E360A5AFBC6B5818F05,SHA256=C73F258D22FB9C026D31A55EB04E083ACDA002BD61DD0A9C63C946A838CEC070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6300AECC74312D9A75C8BBFCAE1631B8,SHA256=32A5FB0BFAFB40F1544322F89272C822A76C6FAD1B81AB6109C3DF5C246C7BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.288{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8909-00000000E501}7308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.288{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.288{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.241{43EB4363-5777-60F5-8709-00000000E501}78527924C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.238{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8709-00000000E501}7852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.172{43EB4363-5777-60F5-8509-00000000E501}81648100C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.156{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8509-00000000E501}8164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.137{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.137{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.087{43EB4363-5777-60F5-8309-00000000E501}62125936C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.087{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8309-00000000E501}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.072{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.072{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.056{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.056{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-5777-60F5-8109-00000000E501}45767128C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8109-00000000E501}4576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:08.208{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720C2B8F858B938EE06DD91D16A5C801,SHA256=1ABC9C54A6C9FB218826B75BDDBC2BFC8D43A8412E1DC9115207BDD73BEA1785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.972{43EB4363-5778-60F5-C109-00000000E501}78287868C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.957{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-C109-00000000E501}7828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.941{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.941{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.940{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.940{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.903{43EB4363-5778-60F5-BF09-00000000E501}77287904C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.888{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BF09-00000000E501}7728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.872{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.872{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.857{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.857{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.819{43EB4363-5778-60F5-BD09-00000000E501}77004908C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.804{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BD09-00000000E501}7700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.772{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.772{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.757{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.757{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.705{43EB4363-5778-60F5-BB09-00000000E501}77847688C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.688{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BB09-00000000E501}7784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98CCA3193B2EFE482B3D0D302C3DD5F,SHA256=B79EBA544FA33967DD8A0E9721D56705B23CD9C6C6366BD23892677341F4764D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.641{43EB4363-5778-60F5-B909-00000000E501}77727684C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.639{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B909-00000000E501}7772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.618{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.618{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.603{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF7E71237C217E0B6C1BD2105F35674,SHA256=947021DFEF0DEA6839B248F6821BF30E858116805E39616E9D023E5EE287D98F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.603{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.603{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.556{43EB4363-5778-60F5-B709-00000000E501}76367272C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.540{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B709-00000000E501}7636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.540{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.540{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.538{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.538{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.503{43EB4363-5778-60F5-B509-00000000E501}58968100C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.503{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B509-00000000E501}5896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.487{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.487{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.440{43EB4363-5778-60F5-B309-00000000E501}66527560C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.437{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B309-00000000E501}6652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.387{43EB4363-5778-60F5-B109-00000000E501}62004576C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.371{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B109-00000000E501}6200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.371{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.371{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.356{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.356{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.340{43EB4363-5778-60F5-AF09-00000000E501}69563244C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.318{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AF09-00000000E501}6956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.318{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.318{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.303{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.303{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.287{43EB4363-5778-60F5-AD09-00000000E501}75287220C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.271{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AD09-00000000E501}7528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.271{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.271{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.256{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.256{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.256{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A94B898B4CD6FCA712D3BF12805258B,SHA256=2E08E083FC4DAB81933B27B74C394A0306C98FD64B3F1E1E159145B1D4B09A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.237{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACE8A678912F05478911798BE8A8168,SHA256=95BC3EC8640BBE3BF53CD70E05DB4268FCD35FD979B4EE854E59AD97C0801242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.237{43EB4363-5778-60F5-AB09-00000000E501}74847480C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.218{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AB09-00000000E501}7484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.218{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.218{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.203{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.203{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.172{43EB4363-5778-60F5-A909-00000000E501}75401292C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.156{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A909-00000000E501}7540C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.140{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.140{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.140{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.136{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-5778-60F5-A709-00000000E501}74567496C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A709-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.087{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.087{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.056{43EB4363-5778-60F5-A509-00000000E501}7472292C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.056{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A509-00000000E501}7472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.019{43EB4363-5778-60F5-A309-00000000E501}73008084C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A309-00000000E501}7300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.003{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:09.443{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCEEF60098134D81C4E700DA5B7DB98,SHA256=ECD2F06D394EB0A31A96AB8876404482366C32E14F7712C1FDDF6FA82F563951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.988{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.988{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.988{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.972{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.972{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-5779-60F5-DF09-00000000E501}57524080C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DF09-00000000E501}5752C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.919{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.919{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.903{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4804C69D704201C74BECB76BFF45C644,SHA256=209DED524F4AD541042C54B9B5EB9C5015BD872A524A5870091C3C1E0E2A488C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.887{43EB4363-5779-60F5-DD09-00000000E501}58763244C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.872{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DD09-00000000E501}5876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.857{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.857{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.803{43EB4363-5779-60F5-DB09-00000000E501}74844568C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.788{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DB09-00000000E501}7484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.772{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.772{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.756{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.756{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.738{43EB4363-5779-60F5-D909-00000000E501}75048172C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.719{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D909-00000000E501}7504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.719{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.703{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.672{43EB4363-5779-60F5-D709-00000000E501}74567524C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.656{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D709-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.656{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.656{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.603{43EB4363-5779-60F5-D509-00000000E501}74727256C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.603{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D509-00000000E501}7472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.556{43EB4363-5779-60F5-D309-00000000E501}73008168C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.541{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D309-00000000E501}7300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.541{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.541{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.519{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.519{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.488{43EB4363-5779-60F5-D109-00000000E501}2612104C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.472{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D109-00000000E501}2612C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.472{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.472{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.456{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.456{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.434{43EB4363-5779-60F5-CF09-00000000E501}7676504C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.419{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CF09-00000000E501}7676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.403{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.403{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.387{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.387{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.356{43EB4363-5779-60F5-CD09-00000000E501}52248036C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.356{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CD09-00000000E501}5224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.340{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.340{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1328020307F7F553635CA42FD8660D1F,SHA256=E9577AF33539E636342D1CE2865D4A455FBF35AE218B977CCC01F020C2D64B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623A29A3753FC9CB8E273053645BD013,SHA256=94E39A161BDA3B4F81984A76708C23C1F3A8AA324BAFBC70163DA0872174F085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.287{43EB4363-5779-60F5-CB09-00000000E501}79728056C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.272{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CB09-00000000E501}7972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.272{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.256{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.256{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.256{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.219{43EB4363-5779-60F5-C909-00000000E501}87956C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.203{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C909-00000000E501}8C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.203{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.203{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.187{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.187{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.156{43EB4363-5779-60F5-C709-00000000E501}79127740C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.141{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C709-00000000E501}7912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.138{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.138{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.103{43EB4363-5779-60F5-C509-00000000E501}64407760C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.088{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C509-00000000E501}6440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.088{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.088{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.072{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.072{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.019{43EB4363-5779-60F5-C309-00000000E501}72927628C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.019{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C309-00000000E501}7292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.003{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.988{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.988{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:10.521{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8FFFEC23917FFF5FDD835FEFE79BB2,SHA256=874C3E91D6CC8FC3D6C2105C4C900192BA36ECBF16433E14F520665C78C6FF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.955{43EB4363-577A-60F5-050A-00000000E501}74927456C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.955{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-050A-00000000E501}7492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.940{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.940{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.939{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.939{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.918{43EB4363-577A-60F5-030A-00000000E501}73047544C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.902{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-030A-00000000E501}7304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.902{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.902{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.887{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.887{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.856{43EB4363-577A-60F5-010A-00000000E501}80847460C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-010A-00000000E501}8084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000057800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.646{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65095-false13.32.25.69server-13-32-25-69.fra56.r.cloudfront.net443https 354300x800000000000000057799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.629{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local55937- 354300x800000000000000057798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.448{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65094-false34.98.75.3636.75.98.34.bc.googleusercontent.com443https 354300x800000000000000057797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.427{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65093-false143.204.205.12server-143-204-205-12.fra53.r.cloudfront.net443https 354300x800000000000000057796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.426{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local56006- 354300x800000000000000057795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.424{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-876.attackrange.local59175-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000057794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.424{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local51453- 10341000x800000000000000057793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.818{43EB4363-577A-60F5-FF09-00000000E501}41927408C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.803{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FF09-00000000E501}4192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.803{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.803{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.787{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.787{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.771{43EB4363-577A-60F5-FD09-00000000E501}43444500C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.756{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FD09-00000000E501}4344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.756{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.756{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.740{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.740{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.718{43EB4363-577A-60F5-FB09-00000000E501}45163504C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.718{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FB09-00000000E501}4516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591E333CB138A63485F3AB7A78F1DE0F,SHA256=3597486295578DD4341111EBCC67568C33D9230243CC74D68354D7F3A88E2BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4BE2F50F07CE25D1E7D7F15AAB3884,SHA256=0B750F007213CB5B860FAAF3E0E3A186FCEE50BD0661D0D6E00C9A541A32AFD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.687{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.687{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.671{43EB4363-577A-60F5-F909-00000000E501}71927972C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.656{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F909-00000000E501}7192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.656{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.656{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.640{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.640{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.618{43EB4363-577A-60F5-F709-00000000E501}68528188C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.618{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F709-00000000E501}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.603{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.603{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.587{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.587{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.572{43EB4363-577A-60F5-F509-00000000E501}67085912C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.556{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F509-00000000E501}6708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.556{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.556{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.540{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.540{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.519{43EB4363-577A-60F5-F309-00000000E501}77563664C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.503{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B485C9E62222F91ACE4F7E1868ECA74,SHA256=2595D9ADFF0CAD34929263CD8A20F2F3E31FBF3AA5B1464D79A58EA54CA53E26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.503{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F309-00000000E501}7756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000057751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.503{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A7199738BDFDD078D2E9788D2C6239,SHA256=C4BC062EF71D6135270C2500A6D58CAF39A1EAD0D66238FAA019B93D17EF7694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.456{43EB4363-577A-60F5-F109-00000000E501}78607884C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.456{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F109-00000000E501}7860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.440{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.440{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.440{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.439{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.419{43EB4363-577A-60F5-EF09-00000000E501}72847900C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.403{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EF09-00000000E501}7284C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.403{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.403{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.387{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.387{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.356{43EB4363-577A-60F5-ED09-00000000E501}69287896C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.356{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-ED09-00000000E501}6928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.340{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.340{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.339{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.339{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.303{43EB4363-577A-60F5-EB09-00000000E501}43844908C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.303{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EB09-00000000E501}4384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.287{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.287{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.241{43EB4363-577A-60F5-E909-00000000E501}76526392C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.241{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E909-00000000E501}7652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.237{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.237{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.203{43EB4363-577A-60F5-E709-00000000E501}77247764C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.188{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E709-00000000E501}7724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.141{43EB4363-577A-60F5-E509-00000000E501}79247272C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.119{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E509-00000000E501}7924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.119{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.119{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.103{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.103{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.072{43EB4363-577A-60F5-E309-00000000E501}80447200C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.072{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E309-00000000E501}8044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.056{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.056{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.041{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.041{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.019{43EB4363-577A-60F5-E109-00000000E501}59366428C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E109-00000000E501}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x800000000000000057876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.091{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000057875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.810{43EB4363-577B-60F5-170A-00000000E501}76128132C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.809{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-170A-00000000E501}7612C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.804{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.804{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.793{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F08CFC4C96504F0D48BF840C123AC68,SHA256=E19E8BA9DB6C12E8EB25B97244E2A9D78563E25C7E3CC76D64507056E58BE6E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.470{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.470{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.455{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=572CD94E0A6319328DD6A40DE1460F66,SHA256=840B3B1C94D4C8E683C2DA64D6306CE939D8CD9A47F8E180A60FB0CEB77405D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.338{43EB4363-577B-60F5-150A-00000000E501}76847820C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.318{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-150A-00000000E501}7684C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.318{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.318{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.302{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.302{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.286{43EB4363-577B-60F5-130A-00000000E501}6166680C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.271{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-130A-00000000E501}616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.271{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.271{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.255{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.255{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.239{43EB4363-577B-60F5-110A-00000000E501}78526236C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.237{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-110A-00000000E501}7852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.186{43EB4363-577B-60F5-0F0A-00000000E501}71086652C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.186{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0F0A-00000000E501}7108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.139{43EB4363-577B-60F5-0D0A-00000000E501}66326624C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.139{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0D0A-00000000E501}6632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.136{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.135{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.118{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.118{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.102{43EB4363-577B-60F5-0B0A-00000000E501}69567528C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.087{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0B0A-00000000E501}6956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.087{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.087{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.071{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.071{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.071{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1238D76F060E517F81D9E09F4E4ABC79,SHA256=EB4491EF5CFDB945DCE1AD426BBF4765EC05E8126406028BC0F08ADEB9DBCF51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.055{43EB4363-577B-60F5-090A-00000000E501}57407484C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.040{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-090A-00000000E501}5740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.040{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.040{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:11.739{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95CB08EA60FF59580BB8CA33FF16EFD,SHA256=C453A7CE625D1308CD54B1917ABDC09A4A68567AD7BCB853CAECB90A7FA64A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.018{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.018{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.002{43EB4363-577B-60F5-070A-00000000E501}72327504C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.002{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-070A-00000000E501}7232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:12.974{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C93BE3052B79E7F52286BD96594DA0,SHA256=B69FC2A234C09920C02C5C3925FE07076A1832263CB38B2658FB4254910421E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.987{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577C-60F5-180A-00000000E501}7864c:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577C-60F5-180A-00000000E501}7864c:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-56CD-60F5-F608-00000000E501}75482112C:\Windows\system32\msiexec.exe{43EB4363-577C-60F5-180A-00000000E501}7864c:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba6f5|C:\Windows\system32\Msi.dll+16c8f4|C:\Windows\system32\Msi.dll+16cf6c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.977{43EB4363-577C-60F5-180A-00000000E501}7864C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\Windows\System32\MsiExec.exe -Embedding 30808903E370CCBE1753D730B2F3ABEC E Global\MSI0000C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 23542300x800000000000000057925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.940{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI71D0.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.936{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D67C6B6C6CF49D1EF21D973AF306B90,SHA256=B04A45B5FF05FEDABF90EE212F3BE7AD59D8549E8184529AB5BE7D87E4E6EB68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.590{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local51228- 23542300x800000000000000057922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.838{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A130723379BBB0C68239F3EE511A82,SHA256=9A8BDE5802BD3A7D73BC7B7B6CB7EB59A21B4E2F7B0326795C66C3B43D014001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.718{43EB4363-56CD-60F5-F608-00000000E501}75487728C:\Windows\system32\msiexec.exe{43EB4363-56C9-60F5-D908-00000000E501}7732C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19e41d|C:\Windows\system32\Msi.dll+2eaae|C:\Windows\system32\Msi.dll+47505|C:\Windows\system32\Msi.dll+10a8c5|C:\Windows\system32\Msi.dll+109ae6|C:\Windows\system32\Msi.dll+f407f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.603{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c62a.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.603{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EACE38CC8BE29AC22BAEF21F301B1EF,SHA256=B96DBB438458A7A1F2B6268F06A8EDE6B60226BAB431112C0D1B663D3FEA922E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=627ACF088B2C35DC379F3B1E837955BE,SHA256=04E6C468DCA0883CE04F031B760FD12F39752F1B87CF9AD3B48CB7CABD212E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=CEFD480AB62A239E4B7E880F2EEAFAA9,SHA256=72AE17727A0DD703799168ED82AD603AE9EC25E9A99A7DC5825E15B3D1E453EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF722970905C2DFFF6.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF97233BEED58598DD.TMPMD5=CEFD480AB62A239E4B7E880F2EEAFAA9,SHA256=72AE17727A0DD703799168ED82AD603AE9EC25E9A99A7DC5825E15B3D1E453EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF4F71FC765D38BE9A.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6A8CF91ED6D8568A.TMPMD5=CEFD480AB62A239E4B7E880F2EEAFAA9,SHA256=72AE17727A0DD703799168ED82AD603AE9EC25E9A99A7DC5825E15B3D1E453EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c626.msiMD5=E20FBF0B3B3A743FF322CF09889E384F,SHA256=58B06E326B3EE4D5ABD578EAC08CDA92CE97F21AA7CE6CC77EA20CAF8B9777EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD11917BC9AB48296.TMPMD5=FB3CE4A840D07714C74EDA2DE1DAFEB0,SHA256=288A5544930EDA929D24547F8A1A731A379F71583E6BE0DA9B983DE9BFA147CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF787A0D82E964230D.TMPMD5=06F56E37CED4F9372FE1A8039948EABD,SHA256=25FFCC59B999E07EC2A50658DC47F648268B5032BFCD85EBD37E05D4B356B1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FD322DD5CB90CC47461E442A404E8EF,SHA256=D14BED37CF62F2445A9CDBBD16AE04BCF98256E307ED2E5D36DFABC9DA445257,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000057908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.634{43EB4363-55F0-60F5-A708-00000000E501}6340d2nxq2uap88usk.cloudfront.net02600:9000:2156:600:a:da5e:7900:93a1;2600:9000:2156:4400:a:da5e:7900:93a1;2600:9000:2156:5000:a:da5e:7900:93a1;2600:9000:2156:9a00:a:da5e:7900:93a1;2600:9000:2156:7000:a:da5e:7900:93a1;2600:9000:2156:f200:a:da5e:7900:93a1;2600:9000:2156:2200:a:da5e:7900:93a1;2600:9000:2156:1e00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000057907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c628.rbsMD5=507336B8EC33F0B06B0B1BC09F6153B0,SHA256=C5BC243BA4641D553B47AB0002A040F5FB6700ACFCAAECC90FF6130A87CEE8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF7A6D14A5B0D964AF.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF28F77569EA3C37EA.TMPMD5=6C47DCB07AA8638E227EA5BD9463D68D,SHA256=BD021F999121FEDF46600CCB1AD8468A4BA14FA6A8D8B92E7A10A49A1B19E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFFB2717A00B2D9BAB.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF08019A4DE86EB4B4.TMPMD5=6C47DCB07AA8638E227EA5BD9463D68D,SHA256=BD021F999121FEDF46600CCB1AD8468A4BA14FA6A8D8B92E7A10A49A1B19E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.537{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6FFB.tmpMD5=6275DC31CD402071BE7B55ADD3DE1C23,SHA256=1AA058F49A4CD780750FA23486E7AA9513C231D65CCFCBF7E6475EF8E793D14F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000057901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:12.518{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\URLUpdateInfo(Empty) 13241300x800000000000000057900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:12.518{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\PublisherMicrosoft Corporation 13241300x800000000000000057899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:12.518{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\InstallSourcec:\program files\microsoft office\root\integration\ 23542300x800000000000000057898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.503{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c628.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.503{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBEDFAE4F898F4275.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.503{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF81666B1FE8F56580.TMPMD5=6C47DCB07AA8638E227EA5BD9463D68D,SHA256=BD021F999121FEDF46600CCB1AD8468A4BA14FA6A8D8B92E7A10A49A1B19E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.472{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6FFB.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.419{43EB4363-56CD-60F5-F608-00000000E501}75487812C:\Windows\system32\msiexec.exe{43EB4363-56C9-60F5-D908-00000000E501}7732C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19e41d|C:\Windows\system32\Msi.dll+2eaae|C:\Windows\system32\Msi.dll+47505|C:\Windows\system32\Msi.dll+10a8c5|C:\Windows\system32\Msi.dll+109ae6|C:\Windows\system32\Msi.dll+f407f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.419{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c626.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.419{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96208B6D1B2E1DEA78EFBD5FDF936728,SHA256=AF41BF2116F7C64B9A36697FE79047645F339E87F6AC96D039EC5DB08EC881D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A3409A0921C157E6F6E21B5BD65F79FC,SHA256=9CB6EBD83A338CB2569BA3C0D1E8D420A62B2D9FB43A2E8B8B555BA2D5D30B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=F85A554CAB54CF9844C088F1834BE712,SHA256=CEC12574499DCA58E1B87BB61C098597E39429D8FA5135F35F720718D287B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD9DDF561CEF455AF.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFE15E05D6017ABF60.TMPMD5=F85A554CAB54CF9844C088F1834BE712,SHA256=CEC12574499DCA58E1B87BB61C098597E39429D8FA5135F35F720718D287B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.387{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF02401A2BE8218C2B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.387{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD6A71A656FAE9662.TMPMD5=F85A554CAB54CF9844C088F1834BE712,SHA256=CEC12574499DCA58E1B87BB61C098597E39429D8FA5135F35F720718D287B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.387{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c622.msiMD5=48C6BB846D0E859DC7795CFB7E7B387D,SHA256=C689BD3ADAFE767C6C61C56DA5D6F8FA0971EC0DF8BD7A669655C12DBBA5B19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A3409A0921C157E6F6E21B5BD65F79FC,SHA256=9CB6EBD83A338CB2569BA3C0D1E8D420A62B2D9FB43A2E8B8B555BA2D5D30B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B796FF0704B3667FC12BC760D6BB462A,SHA256=E058A33C1C87AB31298C03084AC1B8BA6757F51AB01D85E11AFEE4F3BF10BE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.272{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF78BDC4C75F6FC805.TMPMD5=BCFEFC84A7086A479D3CBC40E90A7D1C,SHA256=EB61068F4C40251BE2BE5E00F965EA30F951174BA454FF3EF2B88D684467091B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.272{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF86AD75788D93DCE.TMPMD5=9A892E92C03F738E02419A424F58A3B3,SHA256=D63F498BB967731C511BB05504E4123C7AF44A722630461532759FBBAFB3E989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.272{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c624.rbsMD5=80183A9BB8E65A87AA29796295631957,SHA256=3FBF83426E114A7E18510C7F15DFE7578A185A01405BF8F86F32A06C1F6DD14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.239{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI4EF4.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 10341000x800000000000000057878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.925{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.925{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:11.919{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000057967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.744{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0797713338DC66DE75680C31B1091F6F,SHA256=964601A9CCEE258D302C4EEA641EF5AAB6045014B349ADEBBABE2E18659BB86E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.744{43EB4363-37A4-60F5-0A00-00000000E501}6082808C:\Windows\system32\services.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.744{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.690{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.690{43EB4363-37A4-60F5-0A00-00000000E501}6081020C:\Windows\system32\services.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.621{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.621{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.621{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.590{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\URLUpdateInfo(Empty) 13241300x800000000000000057958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:13.590{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\PublisherMicrosoft Corporation 13241300x800000000000000057957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.590{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\InstallSourcec:\program files\microsoft office\root\integration\ 11241100x800000000000000057956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.343{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\vcruntime140.dll2021-07-19 10:44:13.343 11241100x800000000000000057955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.321{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\vccorlib140.dll2021-07-19 10:44:13.321 11241100x800000000000000057954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.306{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll2021-07-19 10:44:13.306 11241100x800000000000000057953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.259{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll2021-07-19 10:44:13.259 254200x800000000000000057952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:44:13.259{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE2002-02-01 19:02:02.0002021-07-19 10:44:13.205 11241100x800000000000000057951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:13.205{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE2021-07-19 10:44:13.205 11241100x800000000000000057950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.205{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPP.VBS2021-07-19 10:44:13.205 11241100x800000000000000057949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.191{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_codecvt_ids.dll2021-07-19 10:44:13.191 11241100x800000000000000057948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.174{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_2.dll2021-07-19 10:44:13.174 11241100x800000000000000057947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.174{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_1.dll2021-07-19 10:44:13.174 11241100x800000000000000057946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.159{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140.dll2021-07-19 10:44:13.159 254200x800000000000000057945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:44:13.159{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE2002-02-01 19:02:02.0002021-07-19 10:44:13.159 11241100x800000000000000057944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:13.159{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE2021-07-19 10:44:13.159 11241100x800000000000000057943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.143{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\concrt140.dll2021-07-19 10:44:13.143 23542300x800000000000000057942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c62c.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF73478E3CD2B49CF2.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF981FB8DC105D880D.TMPMD5=0D03BDEB646FD0ED913F8CBE06B60530,SHA256=3B2FFC52736281892B24169703CE5F0E2011C3173390F72D297A6C09BF319ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.074{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI7240.tmpMD5=EE6243DF5EA48D929DA4790EFEEA45C9,SHA256=0503FCF7646DAAE6E5445D8C5F248384542D2EEAB4C7D8AD3CD5A47759759A48,IMPHASH=27304803DEB6EEDF56BA2A6E235C6126truetrue 23542300x800000000000000057938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.018{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI71F1.tmpMD5=EE6243DF5EA48D929DA4790EFEEA45C9,SHA256=0503FCF7646DAAE6E5445D8C5F248384542D2EEAB4C7D8AD3CD5A47759759A48,IMPHASH=27304803DEB6EEDF56BA2A6E235C6126truetrue 13241300x800000000000000057937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.018{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000057936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.002{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Config SourceDWORD (0x00000001) 13241300x800000000000000057935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.002{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_288C719A-D921-402F-93ED-77A6E8F040BE.XML 10341000x800000000000000057934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.002{43EB4363-577C-60F5-180A-00000000E501}78647920c:\Windows\System32\MsiExec.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\Windows\System32\MsiExec.exe+6bca|c:\Windows\System32\MsiExec.exe+7166|c:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:14.208{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381180DF937C6BB56E02111E10B03FEE,SHA256=B9F861C06CDBBE18D65C8B93C38CAE3C94B8F49C82444A2DBCC1AE78CED68B14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.905{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000058013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.905{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000058012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.889{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577E-60F5-1A0A-00000000E501}3504C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.820{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577E-60F5-1A0A-00000000E501}3504C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.820{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577E-60F5-1A0A-00000000E501}3504C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.805{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.805{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.805{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.789{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.789{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.756{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DF43B8F7E9BF378815B4B481E517B58,SHA256=71A06B6742FCA829584386A8D87381CAE94BEBFC14CD9F3D86CCC9AA8B2434F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.755{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CA244E1A5BA730F36039E0CCEEE931C6,SHA256=2A1482115E5B3108432B7AD13B81B30FC008364ABEC61603062514AF9765C0CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.962{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65099-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000058001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.962{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65099-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 23542300x800000000000000058000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-56C9-60F5-D908-00000000E501}7732NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-walMD5=B85CF81C3DAD77757EFCCD26DCEF1B20,SHA256=306EA7C0E6B01B2A7ED339B36C377F56095659F37FE87B210EF1AC401A4CEBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-56C9-60F5-D908-00000000E501}7732NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shmMD5=AA401F07B158167796D2B8D01161801C,SHA256=5DC963992AD9F9F037C144D36762C2705EBE7680D9DB3616D85DDEE7E701D017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D9ECE4B8DC162B2467C7293A6A474BA3,SHA256=4489E8F4FD9A14A5E78C09712C3AF6D76D74FA8EE888B7E423CC656C323ED7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=DA986370EE760E42A6E63656C2D47F7E,SHA256=E1EAF80CAA9883F8D4684EA47DCE2AED3E82630403501EBDA958B3E4C33B0525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF25FE5DC18A13FE01.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFCFDFBB0FCBCF81F2.TMPMD5=DA986370EE760E42A6E63656C2D47F7E,SHA256=E1EAF80CAA9883F8D4684EA47DCE2AED3E82630403501EBDA958B3E4C33B0525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF00B9092F0FC4D3AA.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6A660DF7B592E1EE.TMPMD5=DA986370EE760E42A6E63656C2D47F7E,SHA256=E1EAF80CAA9883F8D4684EA47DCE2AED3E82630403501EBDA958B3E4C33B0525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c62a.msiMD5=8F45FCA7C2405E86581E45829C516558,SHA256=F12642BECC030EBCD3964309F63A535B4FC0198990BDC03C3D6652706324ECDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.504{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\y7l8cnva.default-release\cache2\doomed\24677MD5=9CA43F308C17EFBDACFF4106776D6173,SHA256=9E844032CBD30BAF6C3F6DAA669ABF1C722DDC959BD43ECCC3DCF2A55D4EBED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.489{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B248641FAF804306E2AF7FED40550828,SHA256=A54CDC325FBC0F038E4D022258CC14196F83B656BF0B6EABC6E4C07EE3F604DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6F52F3F668E779FA.TMPMD5=3DB4C0F6BB1D89986424CB567BB6240B,SHA256=AC33BA812417824860B1B83F78268593530A4DEB61387FE05449D78ADEEB14F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF8DCA68FE1C1F89F2.TMPMD5=25585A18D5FEAAE0B72E14FD10383057,SHA256=52B3FA676392FE91E217B2A4881423EE98886C9B2E6E5FC2DCC3971CB7A58757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c62c.rbsMD5=E60D7F08DAB4433861FDA1DF2847C743,SHA256=FED02BBE1639CCA4C33C6F187281E7C93AE0E1374D22DED850BC501188AA2F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFCA19220E9F248FC2.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD4B2A4AC5CA8B42B.TMPMD5=0D03BDEB646FD0ED913F8CBE06B60530,SHA256=3B2FFC52736281892B24169703CE5F0E2011C3173390F72D297A6C09BF319ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFFBE7DAD1F9B7079C.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFB0ECACF009B617A2.TMPMD5=0D03BDEB646FD0ED913F8CBE06B60530,SHA256=3B2FFC52736281892B24169703CE5F0E2011C3173390F72D297A6C09BF319ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI71D0.tmpMD5=4CD7B70145372AD3A3C0132375B77ADF,SHA256=F04DB4DBE9A9A52BD6BE3F50E0E6193B68B35A408C7CCBDAA389F94F589C965A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.457{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI7454.tmpMD5=8E81FA5714AF635EDABEF92ED5211750,SHA256=AADE181D78E6DD6ABDA61C33748264B88116945A4F7497B1E003DA47AC70CFF1,IMPHASH=E3EC487F117DDC5C6CD318AF9785DD2Etruetrue 23542300x800000000000000057980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.447{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8AE19CFAB2F5567CCE23322B60A7813,SHA256=5BAD4A6F92CF511AE3FF5678688E23C39C44F4933EB7DA2474BE66FCBD45AFF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.442{43EB4363-577D-60F5-190A-00000000E501}78847832C:\Windows\system32\sppsvc.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x800000000000000057978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.442{43EB4363-577D-60F5-190A-00000000E501}78847832C:\Windows\system32\sppsvc.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.400{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D1DD144B70938FA0C477989F651AE14E,SHA256=E183C2F2B741072F2D624ECB2EBAB73B26A23ECD391B710A2295281F8C211B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.392{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31BF22372C777C0F7977E4F7DCA35AE5,SHA256=28BCC1D8EE62ED968FDB484546331850CAA9DBA0ED0F2CFF2672269E427702E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.953{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65098-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000057974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.953{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65098-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000057973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.937{43EB4363-37A7-60F5-0D00-00000000E501}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65097-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 354300x800000000000000057972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.937{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65097-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 23542300x800000000000000057971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.185{43EB4363-577D-60F5-190A-00000000E501}7884NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=16B7F0029E264F6636B863ED46240CE3,SHA256=D54273A0C794D985603400DB07F73EB440953B37C87C2FC90AE1041F1CB9ECC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.064{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E425DF9AEBB912AAB7F098364C69B489,SHA256=7F79238FD37969D19F93CCBACD973524A2B2B4620ACDAB44C9542FF85B2CF582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.064{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC19D0E781348BB0DA9ED512E80B8700,SHA256=7B9906AE5280234392DCB7B7125DA0394724E1373612099FC088774C70EC199C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.064{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D917266655023CED133AF44878ED196,SHA256=DCDB8A726539DE6BD480B23B45D938DBB0EEF9A1196B5866178400941CD08D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:15.427{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312876537B84C35B8488BDC960FB89B3,SHA256=11B655AC788C1EBE927AE9D4A1D7DD76E4F1E2C239182F27AAA4C15E24554F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:15.854{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=722E606DED744BD16001EF5F97053888,SHA256=6D38EB9D8370C2405C9243915EE06A8776A98CBA4C21EECF50981D7252760A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:15.118{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED424DFDAB0506FC6194E8B5BC96BD70,SHA256=CD6EC96874FBEB5AB89A9C555E048877423314E98BB702D8F78A1337DC3B0891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:16.458{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807CFC9CF797789A6CF33652EC507125,SHA256=BCDE283B46E3CC243C91D97707A9D8A77C6D1E027CD3E50140164901608D5672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.987{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.987{43EB4363-5780-60F5-230A-00000000E501}72524568C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-210A-00000000E501}5084C:\Windows\system32\fontdrvhost.exe0x13ffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-55C1-60F5-7308-00000000E501}19442588C:\Windows\system32\winlogon.exe{43EB4363-5780-60F5-210A-00000000E501}5084C:\Windows\system32\fontdrvhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+60dea|C:\Windows\system32\winlogon.exe+3508a|C:\Windows\system32\winlogon.exe+1bbfd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-230A-00000000E501}7252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06a9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.956{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.956{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000058045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523S-1-5-18v2.26|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|LUOwn=S-1-5-18|M=microsoft.windows.fontdrvhost|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host| 10341000x800000000000000058044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.956{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000058043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e5) 13241300x800000000000000058042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8D7DF810-1D1B-4776-9963-602509F284D0}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 13241300x800000000000000058041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e4) 13241300x800000000000000058040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0A8571D6-2487-41A5-A3ED-C1C99961FC3F}v2.26|Action=Block|Active=TRUE|Dir=In|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 10341000x800000000000000058039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.941{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55C1-60F5-7308-00000000E501}1944C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.941{43EB4363-5780-60F5-200A-00000000E501}74568180C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-200A-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a0903|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.909{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.906{43EB4363-5780-60F5-1D0A-00000000E501}72567468C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.905{43EB4363-5780-60F5-1E0A-00000000E501}12927304C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1E0A-00000000E501}1292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1D0A-00000000E501}7256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-564B-60F5-C908-00000000E501}65768168C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+108f89|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+73a3e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+738ca|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44f6d5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44de4c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a08b6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:16.840{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\C2R32.dll2021-07-19 10:44:16.840 11241100x800000000000000058022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:16.840{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll2021-07-19 10:44:16.840 13241300x800000000000000058021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:16.825{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail - en-us\PublisherMicrosoft Corporation 354300x800000000000000058020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:15.172{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.148{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25BC4AA1A4FF5A9DA4D3DD780DA8D62,SHA256=5792AB6A740BCAAFE58726E0C9E4A80C56E6F57C61F757DD1EB7829EF5560E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.745{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65100-false10.0.1.14win-dc-876.attackrange.local445microsoft-ds 354300x800000000000000058017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.745{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65100-false10.0.1.14win-dc-876.attackrange.local445microsoft-ds 23542300x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:17.583{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1AAC2D1D879357450E8FC2ADBAEF0B,SHA256=06C267BD13E9DCAE763A6C354D6053789CD806466AB8556EBDF310684307ECC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.968{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.965{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.965{43EB4363-564B-60F5-C908-00000000E501}65768168C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+108f89|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+73a3e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+738ca|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+11f08a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44de53|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.961{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.951{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.943{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.938{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.938{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.930{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.928{43EB4363-5780-60F5-1C0A-00000000E501}7460NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-DC-876-20210719-1044.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.926{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.905{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010CE474DAA48E5F8BF76325EEA58490,SHA256=BED5E5E43941DF5F0BD2014BC8EA06408063B618E7DACCFA22172E32BA8166F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.901{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.891{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.890{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.887{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.885{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.878{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.878{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-343.datMD5=78D06D7801BCB7D4B47D85E8C86BC976,SHA256=96CE8B1E19A6A634AA809C531AD2EE7E0A12BBC8B86DE352A0D95A3879DFD593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.868{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.854{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.854{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.853{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.846{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.842{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.838{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.837{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.836{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AB907E061737E628CD07DD8E97A8C9,SHA256=3C8FC16F8D8EBB3400040680110C870EB0B2B306521172E98F8943779226C4DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.834{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.828{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.810{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.805{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.804{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.802{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.797{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.795{43EB4363-5781-60F5-2F0A-00000000E501}10047652C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.789{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.778{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.775{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.774{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2F0A-00000000E501}1004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.765{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.763{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.763{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06d0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.759{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.758{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.754{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.751{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10532021-07-19 10:44:17.743{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Automatic Updates 2.02021-07-19 10:44:17.743 10341000x800000000000000058202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-55F0-60F5-A708-00000000E501}63404352C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.728{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.720{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.720{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.692{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-218.datMD5=7C54EE76D5D897B46F98604C4C2B4385,SHA256=394024FB951A4F97CDD402D7211C0A9568CD0E6341FE3B8A513CCB7ADB43EEA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.691{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.688{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.684{43EB4363-5781-60F5-2D0A-00000000E501}77244944C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.680{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.675{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.674{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.670{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.669{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2D0A-00000000E501}7724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.660{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.656{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.642{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.630{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.630{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.630{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06a9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.624{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.620{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.620{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.620{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.616{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.615{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.614{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.612{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.582{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.576{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-62.datMD5=AEEE6A80313C491BD2E26FE72FD385FB,SHA256=7D27CD41A89C3414D26155AA1873D3DE19FB068C17C9D4BC584F9CBDD0C771D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.575{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.571{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.570{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.558{43EB4363-5781-60F5-2B0A-00000000E501}7964616C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.556{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.552{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.543{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.532{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2B0A-00000000E501}7964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a0903|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.514{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.511{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.497{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AC825B983802D3AF3F9AD769BF5C82,SHA256=31A6C4538E97A18CBC0CEFBE54EF51B53602BC6846F38F01F60FFF1D21B1B563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.496{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.484{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.483{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.483{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.476{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.457{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.457{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.456{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.453{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.450{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.448{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.439{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.420{43EB4363-5781-60F5-290A-00000000E501}81006236C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.411{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.408{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-890.datMD5=1D69696FF2E6AA855568F00E8360B2A9,SHA256=F22178FD63418EDFC1EF97EC87BFBA525F09400C55A11BA1721B1B1ED495B871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.405{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.405{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.403{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-290A-00000000E501}8100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.396{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.395{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.387{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.379{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.379{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a08b6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.377{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.362{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.361{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.359{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.355{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.353{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.350{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.345{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.345{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF6AC10AC2481B79F1C57F2D9A293A0,SHA256=4812B31E3B6986F69410EA1B55FF693055E8180FBBC6803F7774B6D16ADBE0CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.344{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.341{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.340{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.336{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.319{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.313{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4B0FDB66E84C94B3E9EAEF75F55418,SHA256=E8FE0E9E2036C9E0A22F7AEAB7DF594FFC4BBA113F2457979E5F442A259365D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.306{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.295{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.284{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.279{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.277{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.264{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.258{43EB4363-5781-60F5-270A-00000000E501}60642972C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.255{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.252{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.252{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.248{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-734.datMD5=ED994631C6633B820C0AE937D6518EB8,SHA256=2F09426C76F94C074CFECB049EE173AEAF664B89EBD83CAF83B68E937B7237C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.228{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.221{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.220{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.219{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-270A-00000000E501}6064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.215{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.206{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.205{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.195{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.191{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.180{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.180{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3960|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44029f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.179{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.174{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.174{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.171{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.167{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.162{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.157{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.153{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.144{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.130{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.125{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.123{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.112{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.105{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.103{43EB4363-5781-60F5-250A-00000000E501}69566624C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.088{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4827DFF16531F42BB76ED290DDF32AD,SHA256=2E277833BA271F97715B538671179309F3B3DCFD64ECFA4F2FBC8EDC5F166F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.056{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.056{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-250A-00000000E501}6956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06d0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10532021-07-19 10:44:17.009{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor2021-07-19 10:44:17.009 10341000x800000000000000058059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.009{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.009{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.009{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.007{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.005{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:17.060{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:18.599{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47E21A4486D478CFF63A243EB0AC560,SHA256=AB6D7A1F5C676C26A0A36F3CF251114783D6E83BE4E41ABC1EBDC1D2A19C6BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.988{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8413853FB847FC241DB37315B7D93C1,SHA256=A9E8410157D9A42EF8F7AED31CD555948ECAB2BB1AA6B80DA68347C304FF5163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.982{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9428C63DA6BE1BAE29FFE51B23463E68,SHA256=ED5167CC73BCD80D7F55E9E8D8B695AD7AAF2B9BFD6864A1BBF5406365E8D491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.980{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=63A0BFDEA1121173EF39591C69A5C23D,SHA256=02650F2CB13B833C1E511AB3E2A0797BAAFB9BF79389E0539239718059DE2991,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.980{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.970{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=42E8CF471E6C46682CAD28AC300B6D5D,SHA256=F9AC275F7DAB50E0BED5C83721A488165275B2294B3510BB1D61276CE78694EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.962{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-453.datMD5=DF1A7835E8B36DC561CD9FF41290068C,SHA256=91C274F2BFA934B2705F8C8292EEA9BE067EAB5690AAC627DEA24B8AF6712CB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.962{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.961{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.959{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.958{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.956{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.939{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.928{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.922{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.919{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.918{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.917{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.911{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.901{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A296ED00B22CFD443C863E3460BB4AB,SHA256=385A388DAA9671196DD2C350D25949592E90DC9ACA5A5782065BD0DF7FC3FFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.896{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.892{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.892{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.888{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.879{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.875{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.873{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.854{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.846{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AF9EFB3E7E1A9C02390508DEF7BDC63F,SHA256=7A0A2E3B538CA1596228C50CE3C84F7730585C87D53256F7DBF6DFF9CDFF979D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.844{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.840{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.828{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.819{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.817{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.815{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.809{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.802{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-296.datMD5=53DE200C18BB667BB1DF67C987A58B7F,SHA256=981AFCF6F138102CB04AAF83F59FE72C6FEF43914596F7C1B34740E13D0353FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.800{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.798{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.797{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.795{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.787{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.787{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.768{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.760{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.754{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.752{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.751{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.743{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.729{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.724{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.722{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.714{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.709{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.708{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.702{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.695{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.693{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.692{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.690{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.657{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.653{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.649{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.649{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-140.datMD5=CD3E1261141DFDA05C6B6FF56673B97F,SHA256=2495043260B63860951CC38F06A68638532D168C67A8739029DC76DB2392D329,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.648{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.641{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.639{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.633{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.613{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.600{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.599{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.594{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.588{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.583{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.580{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.577{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.564{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.563{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.561{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.559{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.558{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.542{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49135559EEAC42611C2F5855C55953B5,SHA256=9547996DAA94B52848D19D732E1B5D7633E68EBCA7A509051AA18747F48FF992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.539{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.531{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.528{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.517{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.510{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.509{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.507{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.490{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.488{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-984.datMD5=0F5C9B5A9392319E3DCF5E17E0F8B3A4,SHA256=0927B05782578529C3BDDE7CE057CBCDFB1DA03A3D7B7E734F67A199D06D22BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.482{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.480{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.473{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.468{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.465{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.463{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.462{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.446{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.440{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.434{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.430{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.422{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.422{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.419{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.416{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.412{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.410{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.393{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.375{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.373{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.372{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.369{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.349{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.343{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.341{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-859.datMD5=7A2A774FF60B843B8B9BE20B7ABAB5EA,SHA256=8DD1FEB4E8BC348CFB6C1662A8E486474C110E980A32DA0C86CCB36CC81248FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.335{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.331{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.330{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.322{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.319{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.306{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.299{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.292{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.286{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.282{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.281{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.280{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.276{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.259{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.253{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.246{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.243{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.238{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.231{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.230{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.229{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.218{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.213{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.209{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-703.datMD5=C5CD832C2B34D93D333935DA02116EB9,SHA256=E3A6F092209400EDAA24CE87A5099C5DA50321A4E581A6E716089D75A8E6D749,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.207{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.203{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28735A3D6D2B6173EC152C52E37C4D98,SHA256=CF3301B5E885ADFDF2D2722C4F29623446D2C9225C83CF53EEF730D5E53FF0CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.196{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.193{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.192{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.184{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.179{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.178{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.145{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.143{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.139{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.136{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.134{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.130{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.129{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.121{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.113{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.112{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.111{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.110{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.104{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.104{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.094{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC379E63BE3EFB82B06EB837D5AE7B34,SHA256=F29F7F306570EE636F32C8C66BD9C03BBBAA2A3A114CCFB5D1B9DAE2EFA5C68B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.090{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.084{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.079{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.073{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.066{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.061{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-531.datMD5=F2AA6907B5CFA5919915CC314783D3B3,SHA256=5F8F7E7138DAEFD1E2E0156CB474AB3E444415C35F82AF5FD233D101E0AECDB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.060{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.059{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.051{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.048{43EB4363-5781-60F5-310A-00000000E501}78442384C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.044{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.037{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.035{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.027{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.023{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-310A-00000000E501}7844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.023{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.022{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.012{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.008{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.000{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.000{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:19.818{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2FDFA0DE3BBA90AECB789814891F54,SHA256=ED651445EEB0A0492DF600BCC79BD8F16B039FC1988D3BCC61669CE21598C501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.997{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BA1374E9569D477C548F71CDF06531FA,SHA256=1D720941EB8F69EC2666B0E87631E61D207A6739CB39CBF792CF826B5B1FF51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.996{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.992{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.986{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.966{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.960{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E2B38FE3BD33F99469F6759490FEF5F2,SHA256=6FAEF3CE222876A14BA492556622980A1F1520403DEF824CAF79157E35F760F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.958{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.948{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FBCC95173CF1D4375B7889ECE4766DAD,SHA256=FEDAC7CD599E5B76A2DF3A89D19431CF778D8C90ADA696FAC1A5E0DCAA5B1D16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.947{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.939{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.935{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94B95D4B0C278F06E7079A566937075,SHA256=3A9C167097D2F57CF11EFF8AB938BF5A4DE7D8B0D2DD30A9B87546B4958DDAE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.915{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.912{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.908{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A7CBEEB55BD981088F9A31C566066D17,SHA256=F04BA9F5E770310862D9A42E58D1FD988F834DB205E0EE08041247BDE2E7D57F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.905{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.902{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.898{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.897{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.894{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.888{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.885{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-359.datMD5=56CC678F24528C74BE19937B1F52874D,SHA256=B4DE0B4B3715CCAD41BF9AA807023CC0883642B4F1137091E1552A79331329D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.880{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.880{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.876{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B32560E95BBBD82DA244080039461E8,SHA256=46D44E425B8132600FE64AC97B34447C48517B7199CC14199DA253E4B13A2B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.873{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.868{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.851{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.839{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D69D815F4D6AFF37FC2CCC79613B0D52,SHA256=C49E72F71D74369A97F0F13A9519E430322094FA9465F4886AEC21E8D2055687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.834{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.830{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.828{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.822{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.819{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.815{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B001A851213FA6D8396A04E4BAA7CD6A,SHA256=F887560B39AFF084C8A2157BC8DE016A17DA5B80CD0163B27D852BB7440B2412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.815{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.812{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.807{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.790{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=33EF0F02ABF81CE8A086B29D2D69E09A,SHA256=318E033770625179B70B7F4CD8AD13AD4CDEC37DDFC0321B3BF3F1269D82C0DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.790{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.781{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.780{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.779{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F2A44BD56A8A78A7FC5FB40CF8A525B0,SHA256=5AC9C140346B95979082B9E278BCAEA2770D75C506D082AD144CD2206F20AE4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.768{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.750{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.743{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.741{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.741{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3458A9D10591F3C82A74A2AC65EC72D1,SHA256=3D61C0EBD34A50E6CB6EF8BDAA9247DBD36272DF1AA181098321337FF9BB6056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.738{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.730{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.729{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.712{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.709{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-171.datMD5=DBB14594C827D8FDFB72F9B248889889,SHA256=4D205B5100F821D5BC98A896A8EDBA3E0672E99EF4C3B492BA5FF43875A4224D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.706{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.702{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.701{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C1BC319FA8341D7B19C4D4E765364C14,SHA256=9347D28DB80DD7D41C9341410A60BE8B46CF37E283D033745F11B7C9D3DF8B45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.693{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.688{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.677{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E4C70D0F78AFCDE9B06B659D870C93D4,SHA256=57BB47B745326430FBE840899393420892453E15EE25E8A1364CFF62649C8DE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.670{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.668{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.663{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.654{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.652{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.641{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.637{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.635{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.635{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=43760AB26925551D4DDFB36FB4D82979,SHA256=F9CFF12579DC4A139A6787F2EB334C5C3FA265B8005A28C17BDA27375069128B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.625{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.620{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.618{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040940D7E50D5E2D87309F579FE61BD7,SHA256=0E4DB6B92AA6D746E4CFF793BFE31264B8BB0DC7C26D7981D46333FF2469548D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.617{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.610{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.607{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.602{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75B75EA00AF3A1C7A6A2CC0CF476F115,SHA256=810433A04C42B63CA8C500FCB5E9848B1D26E46B727488FA2AA1B77F2492B59D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.578{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.578{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.575{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.573{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.570{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.542{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DFC02961EBB026F54CB62B28FB7B2007,SHA256=9A0090C4C6C74CA232B70B37F395B63041BCE5831D8F210E5B688E2155571241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.530{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9C7B234E5AC04C469554BB045D5D99DF,SHA256=26DD624036C355AF9C639964A62F07B0993FB8A225F705BE647942B480537278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.529{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.528{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.527{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-984.datMD5=A569139E810F662C3042399E18B33052,SHA256=71C87E0CFEC0EB0C6758220F65C6C9EC5C125820616F59AA1A8D2E5878754CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.526{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.522{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.514{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.496{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.494{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.489{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.484{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.480{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.467{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=801212BFF1321B1EAAC963210B8B6669,SHA256=7298311ED3AD2FEC1947B7AAA6B07B159007E3CA1C9CEB02DAA89911A3A90543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.451{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.450{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.445{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.442{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.438{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.438{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.435{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.414{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9055BA37A6F8C87D8E93D10ADCDDF46C,SHA256=41783F3D8422728BCE0045310A3B95646140C531AB8CFBBE036633BCEF779EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.413{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.405{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.404{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.402{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.402{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.397{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.394{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.390{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.376{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.371{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.368{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.367{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.367{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.356{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FBBA9415C6D33861B3BD22434075836,SHA256=0CFE90E68A21F47135575F6435484B88F955BA584656D86575BB13D37917F34B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.344{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.335{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-796.datMD5=2F597ED9E49E0E68B6BADFC49E6346B1,SHA256=9B6DC46824C6D41A602C7C14A8AD2F46655580D1AC593D1BE3A10321C0768B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.328{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8E233CE310712AA6FDAD1B84D842C4DE,SHA256=6D98F07FA65A5BA1CD7761C0313939EA11F05F4D6664BF7B4C2F4F74A5724ECC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.327{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.327{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.318{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.317{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.316{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.294{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.284{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.281{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.279{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E2199B6931266BBF65D30B8C426B3B40,SHA256=36B9D8B44D51515FB1C39A7BF4EF1F897BD2DEC719013ECE0EB4AF2FA1B075FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.275{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.273{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.269{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.269{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.254{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.250{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.249{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.246{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A57FC073214A480EDDE7A47CF5C63C99,SHA256=E1783A9986FDD54FC2EA31485097BA4676D0046D4812E202FBF30F6A711C852A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.240{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.231{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=52167837071E40A93740BC2ADA620D4C,SHA256=C0F853A2DDDACB66B6AD6EA01FCAB7EFBB60D12CB78E703E7017CF65001CFFBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.231{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.224{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.219{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1488426FF7DEDDF79B195D0F8D535D,SHA256=2E1A7E6E66F230C88EEF019058B352C7FDD85B997DF5694080F9829D7AE81250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.217{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.196{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.192{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.188{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.184{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A431ECCD935C67D189B5CD6D61F9E841,SHA256=5C774451B81D1A71C74F083EF81F9F4F4C3FD806B9A3B6CC911D35BBD5E90702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.177{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.174{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.165{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90712D8E20A4B25F41D93AAF1B08C2CF,SHA256=CE232E9D0C47B71DF7F57CD5F4082D0DB7798E464ABB0C616D93E5AB602B3CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.163{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5750E2E07205CF43F2DDF43A32B3244B,SHA256=AA91C38B6D37AAF93F8947C1290F793B2A805EE31D4015DAB38F40906F1732F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.163{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.159{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.154{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.153{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.151{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.140{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-609.datMD5=523E3CDD9D63F0DBDFE204E81445258A,SHA256=6751D25894D4A8DA9427739E68DA6EEA044DF738AEB8D058BF8D4BD1E6ADC9F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.140{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.119{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.112{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3DC8EA1BC9AA7FA8B1DF891D53F16EF7,SHA256=4D7751AF92F60999355C73EACD5E74EC056BFBE7977748EDD6D40B0D0911E37E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.108{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.106{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.099{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.098{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.082{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1369ED54552E6CD093FDFCB052D5CFCF,SHA256=5109EEC342CBCA6A4005F2D6BECD32A1586DCB6469B9991A5F33971BB6B89184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.079{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.075{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F54D995C554A84A14715635D68854B22,SHA256=629DF17768C2827F4BCA1FD327A25F836242690602EBA600E956272643E9463E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.068{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.062{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.061{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9FE8C083BEBF55C7729AD571545E484C,SHA256=067536EC85FF4A0D4BADBE79A9A88B5D24CE836B0DA8F5111A13CCD597F2CBFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.060{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.052{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.051{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.032{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.029{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A4C0B873151716A8F95845F67B87DDCA,SHA256=3B620D734B4DE14816679348FC5648AD6E4B4BD9C3CAAFD81A5D4942DE19A631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.021{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.010{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.020{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.014{43EB4363-55F0-60F5-A708-00000000E501}63404352C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.009{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.004{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9BDB40A28B17964791889300F01A697E,SHA256=C3C5410068FBAF7A7DD7191E1045B9E95A03EECD06101A8C3D331FD8C5A95944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.002{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:20.989{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8CC93BA296B787B4A6681432C54292,SHA256=1401034D7C2AD7491D986365303A505F8355348092BDCC150F2B93D81F2C951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:20.958{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=98D97C3558EF313618C8EC453BB4841B,SHA256=32E3ED12932A45C5BDDBBD757945AE29665B7DED1650120DB3D222E4D6E2B142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.997{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.997{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.988{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-390A-00000000E501}7648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.988{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5784-60F5-390A-00000000E501}7648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.963{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-380A-00000000E501}5104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.956{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.951{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-380A-00000000E501}5104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.951{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5784-60F5-380A-00000000E501}5104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.943{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000058742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.943{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 10341000x800000000000000058741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.925{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.923{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-320A-00000000E501}7468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.921{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-370A-00000000E501}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.909{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-370A-00000000E501}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.909{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5784-60F5-370A-00000000E501}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.866{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.865{43EB4363-564B-60F5-C908-00000000E501}65768168C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+42693f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44ec27|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44dffe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.844{43EB4363-5784-60F5-330A-00000000E501}7456NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-DC-876-20210719-1044b.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.829{43EB4363-5784-60F5-330A-00000000E501}7456NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeMD5=5F151F4A44F32D83E060B1AB7FD51820,SHA256=5C18C4CC9CDF45EE1B56D63F9D2CA160ED67F5DF644C8B6202805693C17D4B05,IMPHASH=E8BEA05A14048595A134B0431534A6DFfalsefalse - rename failed with status 0xc0000022 10341000x800000000000000058732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.740{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.739{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.706{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.701{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.667{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.665{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.649{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.648{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.626{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.624{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.618{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.617{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.615{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.614{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-15.datMD5=F8829E746BD704BCCD0C0F3EF26937DF,SHA256=50CAD5BB5A157219454271F89036742DBE01BD4298AECC254C30CD07B767CF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.594{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF38A276575DB32AC400DF0AEAAA65,SHA256=C6F7FFAF1D11C1A0633F067319F8ABD6179E0EB87538D14F132FF2A8DB31C74A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.588{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.565{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.555{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.555{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.550{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.547{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.546{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.519{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.518{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.513{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.512{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.505{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.505{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.502{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.488{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.470{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.465{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.460{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.455{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.451{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.433{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.422{43EB4363-5774-60F5-2109-00000000E501}72607104C:\Windows\system32\conhost.exe{43EB4363-5784-60F5-350A-00000000E501}6060C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.415{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.414{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.412{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.399{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.397{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-350A-00000000E501}6060C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.395{43EB4363-5774-60F5-1E09-00000000E501}75847600C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{43EB4363-5784-60F5-350A-00000000E501}6060C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(0000000004444853)|UNKNOWN(0000000004444504)|UNKNOWN(00000000044452ED)|UNKNOWN(0000000004442845)|UNKNOWN(0000000004440F66)|UNKNOWN(0000000004440950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1234a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1862b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199457(wow64) 10341000x800000000000000058689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.386{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.382{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.382{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.376{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.374{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.368{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-765.datMD5=40C7A6FAE704B491D5BDE1B84E617E89,SHA256=D52D3586BC558D6D71D25C1A5EC83965CCA11C03785931A1DDF855AA08B8C20F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.359{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.355{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.352{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.340{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.336{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.336{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.321{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.319{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.316{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.316{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\